I would draw some different lessons learned. The core issue here is that the arguments coming from the search dialog were not verified before they were passed to the SQL query.
Another problem appears to exist with the SQL query processing.
In Java when a prepared statement is used for an SQL query, the query is pre-processed. SQL injection doesn’t work, since the expression fields are treated like literals.
Frameworks like Hibernate use prepared statements to avoid SQL injection attacks.