Comment by patrakov

> If I construct my queries the right way (e.g., not concatenating strings together like it's the year 1990)...

(in the anti-WAF camp but playing a pedant here)

In your Django app, you indeed follow the best practices and don't concatenate strings together and so think that this security theater doesn't apply. Yet, this is precisely how Django ORM works under the hood, and SQL injections are periodically found there.

The real solution here is to subscribe to the django-announce list and update Django, or backport the fix manually.