jsp插入语句参数形式

各位大神，江湖救急，在jsp中怎么把

"insert into student(id,name,age,gender,major)values("+id+",'"+name+"',"+age+",'"+gender+"','"+major+"')"  这种形式转换成这种：

String SQL = "INSERT INTO student(id,name,age,gender,major) VALUES(?,?,?,?,?)";  

完整代码是这样的：

<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> 
<%@ page import="java.sql.*"%> 
<% 
String path = request.getContextPath(); 
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/"; 
%> 
 
 
	 
		 
		 
		 
		 
		 
		 
		 
		 

	 
		
		

    		  
		
		<% 
		request.setCharacterEncoding("UTF-8"); 
		String id=request.getParameter("id"); //它是一种取参数的方法。把jsp文件中的数据读取到出来。然后就可以封装利用起来。
		String name=request.getParameter("name"); 
		System.out.println(name); 
		String age=request.getParameter("age"); 
		String gender=request.getParameter("gender");
		String major=request.getParameter("major"); 
		Connection conn=null; 
		Statement stat=null; 
		ResultSet rs=null; 

		Class.forName("oracle.jdbc.driver.OracleDriver"); 
		String url="jdbc:oracle:thin:@localhost:1521:orcl";


		String user="y_user"; 
		String password="koy"; 
		conn=DriverManager.getConnection(url,user,password); 
		stat=conn.createStatement(); 

		rs=stat.executeQuery("insert into student(id,name,age,gender,major)values("+id+",'"+name+"',"+age+",'"+gender+"','"+major+"')");
	

		 /* String SQLQuery = "INSERT INTO student(id,name,age,gender,major) VALUES(?,?,?,?,?)";  
		 rs = stat.executeQuery(SQLQuery) ;
		out.print(SQLQuery); */

		%> 
		 

		<% 
		if(rs.next()) 
		{ out.print("
成功输入！
");
		} 
		else{ out.print("
输入失败！
"); } 
		%> 

		
 返回信息输入页面 
		 

		<% 
		if(rs!=null) { rs.close(); } 
		if(stat!=null) { stat.close(); } 
		if(conn!=null) { conn.close(); } 
		%>