SQL injection prevention with hibernate

Question

I have a existing code where the application generates different sql depend of lot of conditions and execute them via hibernate sessions createSQLQuery(). In here the parameters

Answer 1

If you need to assemble custom SQL into a query, I've found writing my own criteria classes that includes the custom SQL works well.

You just need to implement the Criterion interface. https://docs.jboss.org/hibernate/orm/3.5/api/org/hibernate/criterion/Criterion.html

(See also the Hibernate implementation of 'not null': http://www.grepcode.com/file/repo1.maven.org/maven2/org.hibernate/hibernate/3.2.4.sp1/org/hibernate/criterion/NotNullExpression.java?av=f .)

Then you can simply build up each custom query using the normal hibernate criteria API.

https://docs.jboss.org/hibernate/orm/3.3/reference/en/html/querycriteria.html#querycriteria-creating

Sanitising SQL values properly is painful - try really hard to avoid it! ;-)