This tweet highlights an important fact about Web Application Firewalls (WAFs): they are not completely foolproof against SQL Injection (SQLi) attacks. The payload mentioned, UNION/*!SELECT*/, is an obfuscated SQL injection technique that can bypass some WAFs. This obfuscation uses comment-style syntax within the SQL query to evade detection, which some WAFs fail to block. The tweet references a real-world scenario where a security firm demonstrated this bypass by gaining administrative access through such an injection. The key takeaway is that while WAFs add a layer of protection, developers must not solely rely on them for security. It is crucial to also secure the code by properly validating and sanitizing inputs, using prepared statements, and following security best practices in development to prevent SQL injection vulnerabilities effectively.