[MattPalmer1086]

Yep. If your developers actually use them consistently all the time. There's always someone who can't resist a bit of string concatenation...

[jiggawatts]

This is what code reviews are for.

[MattPalmer1086]

Yes, those are needed too. And static analysis and dynamic analysis, etc.

Despite all of that we just found a SQL injection that existed for years somehow. Luckily the WAF blocked attempts to exploit it until we could issue a fix.

Defence in depth is the win here.