SqlDataSource.ValidateCustomSqlQuery Event
Checks the validity of the custom SQL query used to supply the data source with data.
Namespace: DevExpress.DataAccess.Sql
Assembly: DevExpress.DataAccess.v25.1.dll
NuGet Package: DevExpress.DataAccess
Declaration
Event Data
The ValidateCustomSqlQuery event's data class is ValidateCustomSqlQueryEventArgs. The following properties provide information specific to this event:
Property | Description |
---|---|
CustomSqlQuery | Gets a custom SQL query being validated. |
ExceptionMessage | Gets or sets the exception message returned after validation of the custom SQL query. |
Valid | Gets or sets whether or not the current SQL query is valid. |
Remarks
Important
The use of custom SQL queries can lead to inadvertent or unauthorized modifications to your data/database structure. Although the default validation mechanism only allows custom queries containing SELECT
statements (except for SELECT INTO
clauses), it cannot be considered safe as it does not prevent the execution of potentially harmful requests.
We strongly recommend that you implement additional custom SQL query verification. However, do not use it as the only security precaution. Ensure that you follow best practices and implement the appropriate user read/write privileges at the database level. By setting permissions within the database, you ensure that only authorized users and processes can access or modify data.
The ValidateCustomSqlQuery event is raised each time the custom SQL query (CustomSqlQuery), which is used to select data, needs to be validated. The ValidateCustomSqlQuery event is raised in the following cases.
- On the SqlDataSource.Fill method call.
- On the SqlDataSource.RebuildResultSchema method call.
The e.CustomSqlQuery property returns the SQL query being validated. Initially, a custom query can contain only SELECT
statements. If the custom query contains statements other than SELECT
statements or the query is specified incorrectly, the e.Valid property is set to false
. The e.ExceptionMessage property returns the corresponding exception message.
If necessary, you can check the validity of the custom SQL query manually and override the value of the e.Valid flag and corresponding e.ExceptionMessage.
Important
The default validation is performed if the SqlDataSource.DisableCustomQueryValidation property is set to false.
To validate custom SQL for all queries created in an End-User Report Designer for WinForms, handle the SqlDataSource.ValidateCustomSqlQueryGlobal event.