My manager wants to know if our code is vunerable to sql injection. With straight JDBC, I know that using Prepared Statements (bind variables) will help. We do have some hibernate in which I am not that familar with. It looks like hibernate has prepared statements, so using those will minimize SQL injection like in JDBC? Thanks!