My first thought is that I'm surprised that doesn't throw an error.
Maybe MySQL takes the values of the current row (whatever that might mean in this case), which would be nulls in this case?
In any case, if you were expecting the SQL to understand that the given values are actually Java variables in your Java app then that is not going to happen.
You have your Java app.
That sends a SQL call to MySQL.
MySQL knows nothing about where that call comes from, only that it is a valid user.
The SQL sent has to be something you could actually execute by hand on MySQL (via the command line or a MySQL IDE), though in the case of JDBC PreparedStatements the variable binding syntax may be slightly different.