PreparedStatement
alone does not help you if you are still concatenating Strings.
For instance, one rogue attacker can still do the following:
Not only SQL, but even JPQL or HQL can be compromised if you are not using bind parameters.
Bottom line, you should never use string concatenation when building SQL statements. Use a dedicated API for that purpose, like JPA Criteria API.