SQL error

Hi folks! I'm having a bit of trouble getting a SELECT SQL query to work. I'm not sure what's wrong with it as it should work. I pass a parameter which is the ID of a customer and this ID should then be used to select appopriate fields from the CUSTOMER table for that particular record. Here is the query -
Statement stmt = con.createStatement(); ResultSet rs = stmt.executeQuery("SELECT CustID, AddressLine1, AddressLine2, AddressLine3, Postcode FROM CUSTOMER WHERE CustID =custId");
The problem I have is that I usually specify the WHERE part as
WHERE CustID='"+custId+"' ...
But when I do this the query does not execute at all. But the above way, ALL of the records from the table are displayed, despite sending a specific ID.
Can anyone help??
Thanks!

You want to use the PreparedStatement class. You give this class your SQL quey with the variables represented as "?" marks. Then you use the setXXX methods to specify the values of the variables before issuing the query. The PreparedStatement takes care of all the quoting and escaping that might need to be done.

Thanks Sheriff, I think I'll use prepared statements all the time now!