Skip to main content

SqlDataSource.AllowCustomSqlQueries Property

Specifies whether a user can add custom SQL queries to fill the SqlDataSource.

Namespace: DevExpress.DataAccess.Sql

Assembly: DevExpress.DataAccess.v25.1.dll

NuGet Package: DevExpress.DataAccess

Declaration

[Browsable(false)]
public static bool AllowCustomSqlQueries { get; set; }

Property Value

Type Description
Boolean

true, to allow users to specify custom SQL for the SqlDataSource; otherwise, false.

The default is true.

Remarks

When the AllowCustomSqlQueries property is set to false, the SqlDataSource cannot be filled with data using custom SQL queries. In this case, custom SQL queries are skipped when calling the SqlDataSource.Fill or SqlDataSource.RebuildResultSchema methods.

When you set the AllowCustomSqlQueries property to true, you can build and execute custom SQL queries to fill the SqlDataSource with data. In this case, the standard validation mechanism is used to validate custom SQL queries before execution.

Important

The use of custom SQL queries can lead to inadvertent or unauthorized modifications to your data/database structure. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent the execution of potentially harmful requests.

We strongly recommend that you implement additional custom SQL query verification. However, do not use it as the only security precaution. Ensure that you follow best practices and implement the appropriate user read/write privileges at the database level. By setting permissions within the database, you ensure that only authorized users and processes can access or modify data.

To enable additional validation for custom SQL queries, you can handle one of the following events:

Some DevExpress controls also expose the EnableCustomSql property. For example:

When any of these properties is set to true (and the AllowCustomSqlQueries property is set to false), custom SQL queries can be created and executed only by invoking the Data Source Wizard for the corresponding control.

Tip

To access custom SQL queries (CustomSqlQuery) for the specified SqlDataSource, use the SqlDataSource.Queries property.

See Also