The quotes shouldn't be int he prepared statement either, but inserting table/column names is a bigger problem. or are you saying your database supports that? If so, which one is it? I've never heard of that.
Some databases/drivers unfortunately support PreparedStatements with table and columns names as parameters BUT often time this is just a fluke. The JDBC driver could escape the value of the column or table name, and the escaped value happens to produce valid SQL. It's extremely dangerous to do though since any change to the driver or database could easily break the query.
For things like this, you really need to build the query yourself with StringBuilder and only apply PreparedStatement parameters to things that are parameters, not tables and columns. I've seen people write JDBC code such as "ORDER BY ?" which happens to work for some drivers, but in general should never work. The query should be resolved as part of building the query string and fed into the PreparedStatement fully formed.