replaceAll() takes a regex input and I think it fails since '?' has a special meaning in regex. Modify it to replace() or instead of '?' use symbols like '#' to make it work with replaceAll().
You shouldn't use string concatenation etc. to build an SQL statement at all. This makes your program vulnerable to security problems such as SQL injection. Instead, you should use a PreparedStatement. It will handle filling in the parameters for the statement for you, and escape values properly to prevent SQL injection.