Storing connection strings in the application's configuration file is a suitable approach for a development environment. In a production environment, use the ConfigureDataConnection events, because this allows you to implement more flexible security models.
The Data Source Wizard allows only visual construction of SQL queries using the built-in Query Builder. Queries constructed using the Query Builder can only contain a SELECT statement and are guaranteed to be safe.
Manual editing of SQL queries is considered unsafe and is disabled by default. You can enable SQL editing at your own risk using the approach described in the following document: Custom SQL Queries
Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe, as it does not prevent the execution of potentially harmful requests. Before enabling this option, please make sure to apply a secure SQL validation that prevents the execution of harmful requests.
We recommend utilizing the access control functionality of your database management system to achieve the highest level of database security.
If an end-user opens the dashboard containing the DashboardObjectDataSource, the following message displays by default before data loading:
Loading the data sources referenced in this file may harm your computer. Was this file obtained from a trusted source?
This dialog allows end-users to select whether to trust the object data sources available in the application. You can change this default logic using the DataSourceOptionsContainer.ObjectDataSourceLoadingBehavior property.
For instance, you can allow loading any object data sources, or you can load object data sources in a safe mode when their data member and data source settings are cleared.