Solomon Rutzky posted some thoughts on the new “Feature Restrictions” in SQL Server 2019, which some have said might help with SQL Injection. He writes up a lot of details about what Feature Restrictions were intended to do and how they just miss the mark. He includes several examples as well on how this can be circumvented or in some cases just not applied the way we’d like.
Feature Restrictions in SQL Server 2019 are Worse Than Useless: a False Sense of Security And Wasted Opportunity
He concludes with a link to a bug report asking that this be removed lest people use it, think their system is secured, and are hacked because they didn’t do anything else. This is well worth reading if you have to secure your SQL servers and are moving towards SQL Server 2019.