您应该使用位置参数绑定:

You should use positional parameters binding:

String queryString = "select * from EMP e where e.name = ?1";
Query query = em.createNativeQuery(queryString, Employee.class);
query.setParameter(1, "Mickey");

请注意，您不应按照JPA规范所述在查询中使用命名参数绑定(:empName)

Please note that you should not use named parameters binding (:empName) in your query as JPA Spec says

仅位置参数绑定可用于本机查询.

Only positional parameter binding may be portably used for native queries.

这应该可以保护您免受SQL注入攻击.

This should secure you from SQL Injection attacks.