Thanks, Ramya.
Hibernate uses PreparedStatements for every SQL statement that is executed, so, as long as you don't concatenate SQL strings, you should be fine with JPQL, Criteria API, and native queries too.
I find JPQL much more expressive than Criteria API. However, Criteria API is the right tool for building dynamic entity queries programmatically and in a type-safe way.
This way, JPQL and Criteria API are complementary, not competing one against each other.
Criteria API creates more objects that JPQL, so the performance penalty comes only from more work being done by GC.
JPA 2.1 allows you to call stored procedure, check out
this article that I wrote, and
ParameterMode supports IN, OUT, INOUT and REF_CURSOR too.
Vlad