This week's book giveaway is in the Other Open Source APIs forum. We're giving away four copies of Storm Applied and have Sean Allen, Peter Pathirana & Matthew Jankowski on-line! See this thread for details.
The key is to make sure the SQL is secure by itself. This is true regardless of what persistence technology you use. The most important rule is to make sure you always use bind variables (? in JDBC) for any data that could be supplied by the user.