ICustomQueryValidator Interface
Implements custom validation logic for SQL queries.
Namespace: DevExpress.DataAccess.Wizard.Services
Assembly: DevExpress.DataAccess.v25.1.dll
NuGet Package: DevExpress.DataAccess
Declaration
Related API Members
The following members return ICustomQueryValidator objects:
| Library | Related API Members |
|---|---|
| Cross-Platform Class Library | ISqlDataSourceWizardCustomizationService.CustomQueryValidator |
| WinForms Controls | EditQueryContext.QueryValidator |
| QueryBuilderEditQueryContext.CustomQueryValidator |
Remarks
Important
The use of custom SQL queries can lead to inadvertent or unauthorized modifications to your data/database structure. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent the execution of potentially harmful requests.
We strongly recommend that you implement additional custom SQL query verification. However, do not use it as the only security precaution. Ensure that you follow best practices and implement the appropriate user read/write privileges at the database level. By setting permissions within the database, you ensure that only authorized users and processes can access or modify data.
A user can write custom SQL queries in the SQL Data Source Wizard if custom SQL editing is enabled.
When a user saves a custom SQL query, the validation service processes the query text. The default validation service allows only queries with SELECT statements (except for SELECT INTO clauses).
A custom validation service implements the ISqlDataSourceWizardCustomizationService interface. To integrate this validator into your application, implement the ICustomQueryValidator interface and assign your custom validator to its CustomQueryValidator property.
Warning
If you implement and register a custom validation service, the End-User Report Designer uses the ISqlDataSourceWizardCustomizationService.IsCustomSqlDisabled property value to determine whether to enable custom SQL. The EnableCustomSql method is unnecessary.
The following code illustrates how to implement the validator and the service:
using DevExpress.DataAccess.ConnectionParameters;
using DevExpress.DataAccess.Wizard.Services;
using DevExpress.DataAccess.Web;
// ...
public class MyCustomValidator : ICustomQueryValidator {
public bool Validate(DataConnectionParametersBase connectionParameters, string sql, ref string message) {
// Add your custom validation logic here.
// Return true if the query is valid; otherwise, return false.
}
}
public class CustomSqlDataSourceWizardCustomizationService : ISqlDataSourceWizardCustomizationService {
public ICustomQueryValidator CustomQueryValidator {
get { return new MyCustomValidator(); }
}
public bool IsCustomSqlDisabled {
get { return false; }
}
}
Once complete, you should register the service in your application. Call the control’s RegisterSqlDataSourceWizardCustomizationService method to register the service for DevExpress Reports:
ASP.NET Web Forms or ASP.NET MVC
Call the static DefaultReportDesignerContainer.RegisterSqlDataSourceWizardCustomizationService<T> method at application startup:
using DevExpress.XtraReports.Web.ReportDesigner;
protected void Application_Start(object sender, EventArgs e) {
DefaultReportDesignerContainer.RegisterSqlDataSourceWizardCustomizationService<CustomSqlDataSourceWizardCustomizationService>();
}
ASP.NET Core
Call the ReportDesignerConfigurationBuilder.RegisterSqlDataSourceWizardCustomizationService method in the application startup file:
using DevExpress.AspNetCore;
using DevExpress.AspNetCore.Reporting;
var builder = WebApplication.CreateBuilder(args);
builder.Services.ConfigureReportingServices(configurator => {
configurator.ConfigureReportDesigner(designerConfigurator => {
designerConfigurator.RegisterDataSourceWizardConfigFileConnectionStringsProvider();
designerConfigurator.RegisterSqlDataSourceWizardCustomizationService<CustomSqlDataSourceWizardCustomizationService>();
});
});
var app = builder.Build();
This configuration ensures that any custom SQL queries entered by users are validated according to your specified rules before execution.