You need to use:
preparedStatement.executeQuery();
instead of
preparedStatement.executeQuery(login);
when you pass in a string to executeQuery()
that query is executed literally and thus the ?
is send to the database which then creates the error. By passing query string you are not execution the “cached” prepared statement for which you passed the values.