Rajesh Patel brought once again to my attention the fact that many developers assume an ORM framework protects you from SQL injection.
SQL or HQL or whatever injection, is just exploiting a bug whose source is String concatenation. It has nothing to do with which tool you use to get, store, delete or update data from some storage. It is related, instead, on how you build your statements.
Hibernate will protect you, if you use Criteria or named parameters to build your queries. JDBC will protect you too, if you use it correctly.
The fact is, as long as you build your queries the wrong way (that is,
"SELECT * FROM table WHERE '" + condition + "'"), nothing can protect you.
SQL Injection is not a good way to call this issue, as it makes people think it’s a database related issue. Instead, it’s just bad coding, and lack of understanding about String concatenation.