Use PreparedStatements! They will deal with the syntax and prevent sql injection.