Does an ORM framework such as Hibernate completely mitigate SQL injection?
No, you are not automatically safe.
SQL Injection can still exist.
From the OWASP page:
A note about SQL injection
Since it is the hot topic, I will address it now but discuss in detail later.
- Hibernate does not grant immunity to SQL Injection, one can misuse the api as they please.
- There is nothing special about HQL (Hibernates subset of SQL) that makes it any more or less susceptible.
- Functions such as createQuery(String query) and createSQLQuery(String query) create a Query object that will be executed when the call to commit() is made. If the query string is tainted you have sql injection. The details of these functions are covered later.
In addition to the other answers, one area where ORMs may not help, is where there is an Issue with the ORM code itself. For example there were a couple of issues with ActiveRecord in Rails some versions ago where the SQL injection was in the framework itself rather in user created code.
That said correctly using an ORM does make it much easier to avoid SQL injection, so it'd be a good strategy to persue, as opposed to hand crafting queries.