Java Development Tools

I have an ADF Parameter Form that I implemented on a JSP page to allow users to enter search criteria. The criteria entered is entered into the where clause with the following code:

public void searchInventory(Number OwnerName, Number UnitNo, Number Loc, Number Citem, String SNO, Number Project)
{
ViewObject vo = getInvView();
String sql = "OWNERNAME LIKE '%" + OwnerName + "%'" + " OR UNITNO LIKE '%" + UnitNo + "%'" + " OR LOC LIKE '%" + Loc + "%'" + " OR CITEM LIKE '%" + Citem + "%'" + " OR SNO LIKE '%" + SNO + "%'" + " OR PROJECT LIKE '%" + Project + "%'";
vo.setWhereClause(sql);
vo.executeQuery();

}

This isn't working because I'm not sure the correct fields are being passed in correctly. Is there a way to bind the fields to a variable that i can pass into this method? Also, does anyone have any suggestions on how to prevent sql injection through these fields?

Thanks,
[tim]