Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.sql-injection

Bind Hibernate query parameters instead of concatenating SQL

Hibernate `Session.createQuery`, `createNativeQuery`, and `createSQLQuery` calls must not build their query text from string concatenation or `String.format`.

#Metadata

Rule ID
java.security.hibernate-sql-concatenation
Severity
critical
Confidence
0.84
Languages
java
Presets
security, strict
Stability
stable
Applies to
block
Tags
hibernate, java, rules-catalog, security, sql-injection

#Why it matters

Dynamic SQL fragments stitched into Hibernate query strings are an injection sink whenever any segment came from request, environment, or upload input.

#Remediation

Use named or positional parameters via `setParameter`, the Criteria API, or typed query DSLs instead of interpolating values into the HQL or SQL text.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.hibernate-sql-concatenation.rule.yaml.

Back to directoryOpen rule in repository