I think the book may be referring to something like this:
Suppose you have a web application handling the url /login?user=alice&password=hunter1
with code such as:
database->query("SELECT user FROM usertable WHERE username='" + user + "' AND password='"+ password + "'")
which has a trivial SQLi vulnerability (in addition of passing credentials in the url and storing passwords in plaintext!).
An approach to secure the application just at the external boundary would so something like forbidding the '
character in the requested url, sometimes in a firewall or htaccess, in order to avoid the injection. Which can be bypassed by simply using %27
in the url, and let the receiving program decode that into the '
.
The moral of the story is that the module building that SQL query should be handling the parameters properly (by calling a database-specific escape function or using prepared statements), as it is the one with the specific knowledge that user and password are variables and not part of the query. HTTP level is the wrong place to solve that problem which is actually in the login module.
As a corollary, you should take security into account on every step, it's not "something you add at the end of creating the product" or that can be solved by "installing a WAF in front of the system". A WAF might dwarf some attacks, and it can be valuable as an additional measure to raise the stakes, but it doesn't have the application-specific knowledge of how every parameter should behave (you can see the opposite as well, when a WAF blocks a perfectly safe POST because it contained SQL code -such as a developer documenting some queries in a wiki- which would have been processed safely, but wasn't known by the filter).