.save()是安全的，只有使用本机查询时才容易受到攻击.

.save() is safe, only the usage of native queries is vulnerable.

List results = entityManager.createNativeQuery("Select * from Customer where name = " + name).getResultList();

如果使用参数，也可以保护本机查询.

You can safe native queries also, if you use parameter.

Query sqlQuery = entityManager.createNativeQuery("Select * from Customer where name = ?", Customer.class);
List results = sqlQuery.setParameter(1, "John Doe").getResultList();