I am reading this article: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html I am using JPA with prepared statements (so thats the first point). There is also third point, which is talking about input validation with whitelist.
SELECT d FROM Document d WHERE d.user.id=:id AND d.title=:title
As "Your Common Sense" (and hopefully also your common sense) says you will be protected from SQL injection in the example by using prepared statements (aka parameterized queries). When using prepared statements the parameters are never interpreted as SQL, they're simply processed by the database as data.
But validation, when you can do it, is always good defensive coding. How is the data (the name of the document) going to be used after it is put in the database. Developers often treat data in the database as "trusted data" and don't properly leverage encoding or prepared statements, which can lead to a variety of issues such as second order SQL injection or stored XSS.
White list validation of values is ideal, but that's not always possible. How do you validate a free form text such as the name of a document, as in your case? You may want to limit your name to certain characters (white list of characters) but that can be restricting and cause internationalization issues. At the very least:
Generally - you should always: