Fix query parameterization

Queries should be parameterized using [`setParameter`](https://docs.hibernate.org/orm/5.6/javadocs/org/hibernate/query/Query.html) and **not** using string concatenation.

At least `DatabaseBasisQuery` and friends are heavily affected.