By the moment, I know four kinds of doing transactions with hibernate:

1. Using objects
2. Using HQL
3. Using DB-specific SQL
4. Using criteria (QBE)

Well, regarding how strong are they against injections, I think these are (correct me if I’m wrong):

1. Secure, because the internal SQL call is parameterized.
2. Secure if the query is parameterized, insecure otherwise.
3. Same as #2 but not as portable.
4. Insecure?

My question is about #4, Query by Example, because i’ve found it is also vulnerable. Example:

    Account a = new Account(); //POJO class       
    a.setId("1' OR '1'='1");

    //s is a org.hibernate.Session instance
    Criteria crit = s.createCriteria(Account.class);
    crit.add(Example.create(a));
    List results = crit.list();  //table dump!

That snippet selects the whole accounts table. Is there any way to prevent injection? How?

NOTE: I’m using Hibernate 3.6.5 final, the testing database is HSQLDB.

UPDATE: Seems like a bug to me too, and indeed may be not related to the injected SQL. Tried setting the id with a nonexistent value and also returns all the rows. Tried the injection with ‘5’=’5′ instead of ‘1’=’1′ and the 5 is not propagated to the SQL call. It keeps using (1=1) as where clause.

UPDATE 2: Solved. See the answer below.