SQL Injection is a common security problem.
It often stems from concatenation of SQL query parameters. For instance, if you allow a user to provide un-validated input to your SQL queries, then they can inject SQL code into part of the query that is then executed. How does PreparedStatement prevent this problem?