I have a search servlet that runs a query on my database. Right now the query looks something like this, where variable is a parameter I get from the ServletRequest.
AFAIK, you have to do prepared statements in Java to avoid SQL injection attacks. Does my using HQL absolve that, or do I need to change my query?