PreparedStatement doesn’t escape anything – it relies on database support for precompiled statements.

That is, PreparedStatement never substitutes ?s for parameter values in order to form a literal query string. Instead, it sends a query string with placeholders to the database and uses database support to bind query parameters (however, it may depend on JDBC driver implementation).