java - Does Hibernate's createCriteria() sanitize input? -

came across code today uses hibernate perform query. query uses value submitted form. made me curious whether or not sort of code "sanitizes" input.

public list<school> search(string query) {     session session = this.getcurrentsession();     query = "%" + query + "%";     criteria criteria = session.createcriteria(getpersistentclass());     criteria.createalias("country", "a");     criterion namecriterion = restrictions.ilike("name", query);     criterion citycriterion = restrictions.ilike("city", query);     criterion countrycriterion = restrictions.ilike("a.name", query);     criterion criterion = restrictions.or(restrictions.or(namecriterion, citycriterion), countrycriterion);     criteria.add(criterion);     return criteria.list(); } 

is safe?

hibernate criteria queries quiet safe in terms of sql injection since pass strings parameter while performing fetch. even, hql quiet safe unless build query via string literal.

for more details, should take @ queries getting fired @ database level switching on hibernate sql logging.