Parameterized placeholders in prepared statements can only be used for values, not for database objects such as table names or column names.
You can use string concate but please verify the column name before adding or it might lead to sql injection.
PreparedStatement preparedStatement = null;
try {
String columnName = User.getUsername();
if (!columnName.matches("[A-Za-z0-9_]+")) { // something like this
throw new IllegalArgumentException("Invalid column name: " + columnName);
}
final String QUERY_SQL = "ALTER TABLE TableName ADD " + columnName + " BOOLEAN";
preparedStatement = connection.prepareStatement(QUERY_SQL);
preparedStatement.executeUpdate();
preparedStatement.close();
} catch (SQLException e) {