CRV2 SQLInjHQL

Hibernate Query Language (HQL)
Hibernate facilitates the storage and retrieval of Java domain objects via Object/Relational Mapping (ORM).

It is a very common misconception that ORM solutions, like hibernate, are SQL Injection proof. Hibernate allows the use of "native SQL" and defines a proprietary query language, called HQL (Hibernate Query Language); the former is prone to SQL Injection and the later is prone to HQL (or ORM) injection.