I can confirm. I know Hiawatha's SQL injection ain't perfect. False positives is a side effect of the attempt to detect most SQL injections. Just don't have it enabled all the time. It is not meant to be a replacement for secure code. I quote from the Hiawatha manual:
Don't use this as a generic security feature. Only use it to prevent a specific vulnerablility in an application that can't be taken offline while you wait for a patch.