The problem is not in using Preparedstatement >Because the prepared statement object holds the sql query. The why again unnecessarily passing Sql string to executequery() method.PreparedStatement preparedstatement=conn.PrepareStatement(sql). This holds the sql query and when executequery() method is called The query is evaluated.
