Вы имеете в виду, как избежать внедрения SQL, например конкатенации операторов SQL во время выполнения?
static final String INVOICE_QUERY = "SELECT inv from Invoice inv WHERE (:createDate IS NULL OR inv.createDate = :createDate) AND (:quantity IS NULL OR inv.quantity = :quantity) AND (:custName IS NULL OR inv.custName = :custName)";
Session session = getHibernateTemplate().getSessionFactory().openSession();
Query query = session.createQuery(INVOICE_QUERY);
query.setDate("createDate", createDate);
if(quantity != null)
query.setLong("quantity", quantity);
else
query.setBigInteger("quantity", null);
if(StringUtils.isNotBlank(custName))
query.setString("custName", custName);
else
query.setString("custName", null);
return query.list();