Skip to main content

SqlDataSource.ValidateCustomSqlQuery Event

Checks the validity of the custom SQL query used to supply the data source with data.

Namespace: DevExpress.DataAccess.Sql

Assembly: DevExpress.DataAccess.v25.1.dll

NuGet Package: DevExpress.DataAccess

Declaration

public event ValidateCustomSqlQueryEventHandler ValidateCustomSqlQuery

Event Data

The ValidateCustomSqlQuery event's data class is ValidateCustomSqlQueryEventArgs. The following properties provide information specific to this event:

Property Description
CustomSqlQuery Gets a custom SQL query being validated.
ExceptionMessage Gets or sets the exception message returned after validation of the custom SQL query.
Valid Gets or sets whether or not the current SQL query is valid.

Remarks

Important

The use of custom SQL queries can lead to inadvertent or unauthorized modifications to your data/database structure. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent the execution of potentially harmful requests.

We strongly recommend that you implement additional custom SQL query verification. However, do not use it as the only security precaution. Ensure that you follow best practices and implement the appropriate user read/write privileges at the database level. By setting permissions within the database, you ensure that only authorized users and processes can access or modify data.

The ValidateCustomSqlQuery event is raised each time the custom SQL query (CustomSqlQuery), which is used to select data, needs to be validated. The ValidateCustomSqlQuery event is raised in the following cases.

The e.CustomSqlQuery property returns the SQL query being validated. Initially, a custom query can contain only SELECT statements. If the custom query contains statements other than SELECT statements or the query is specified incorrectly, the e.Valid property is set to false. The e.ExceptionMessage property returns the corresponding exception message.

If necessary, you can check the validity of the custom SQL query manually and override the value of the e.Valid flag and corresponding e.ExceptionMessage.

Important

The default validation is performed if the SqlDataSource.DisableCustomQueryValidation property is set to false.

To validate custom SQL for all queries created in an End-User Report Designer for WinForms, handle the SqlDataSource.ValidateCustomSqlQueryGlobal event.

See Also