Skip to main content

SqlDataSource.AllowCustomSqlQueries Property

Specifies whether or not custom SQL queries can be used to fill the SqlDataSource.

Namespace: DevExpress.DataAccess.Sql

Assembly: DevExpress.DataAccess.v24.2.dll

Declaration

[Browsable(false)]
public static bool AllowCustomSqlQueries { get; set; }

Property Value

Type Description
Boolean

true, to allow specifying custom SQL for the SqlDataSource; otherwise, false.

The default is true.

Remarks

When the AllowCustomSqlQueries property is set to false, the SqlDataSource cannot be filled with data using custom SQL queries. In this case, custom SQL queries will be skipped when calling the SqlDataSource.Fill or SqlDataSource.RebuildResultSchema methods.

When the AllowCustomSqlQueries property is set to true, custom queries will be validated before execution. The standard validation is enabled by default.

Important

Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent execution of potentially harmful requests. For this reason, we strongly recommend that you implement your own validation logic that permits only execution of specific query kinds.

To enable unrestricted execution of custom queries (e.g., those containing DELETE, INSERT, PROCEDURE and UPDATE statements), set the static SqlDataSource.DisableCustomQueryValidation property to true.

Some DevExpress controls also provide the EnableCustomSql property. For example:

When any of these properties is set to true (and the AllowCustomSqlQueries property is set to false), custom SQL queries can be created and executed only in a Data Source Wizard available in the control.

Note

To access custom SQL queries (CustomSqlQuery) for the specified SqlDataSource, use the SqlDataSource.Queries property.

See Also