Enable Custom SQL in Report Designer

This document describes how to enable custom SQL editing on the query creation page of the SQL Data Source Wizard.

web-report-designer-custom-sql

Important

For security reasons, enabling custom SQL editing is not recommended if your web reporting application can be accessed by untrusted parties. Refer to the General Security Considerations document for more information.

To enable custom SQL editing, call the static DefaultReportDesignerContainer.EnableCustomSql method on application start as shown in the code sample below.

using DevExpress.XtraReports.Web.ReportDesigner;
// ...
protected void Application_Start(object sender, EventArgs e) {
    DefaultReportDesignerContainer.EnableCustomSql();
    // ...
}

You can also accomplish this task by implementing an ISqlDataSourceWizardCustomizationService. The ISqlDataSourceWizardCustomizationService.IsCustomSqlDisabled property indicates whether or not custom SQL editing should be disabled by default.

using DevExpress.DataAccess.Web;
// ...
public class CustomSqlDataSourceWizardCustomizationService : ISqlDataSourceWizardCustomizationService {
    public DevExpress.DataAccess.Wizard.Services.ICustomQueryValidator CustomQueryValidator {
        get { return new MyCustomQueryValidator }
    }

    public bool IsCustomSqlDisabled {
        get { return false; } // Enable custom SQL editing.
    }
}

To register custom SQL Data Source Wizard customization service, pass it as a type parameter to the static DefaultReportDesignerContainer.RegisterSqlDataSourceWizardCustomizationService<T> method on application start.

using DevExpress.XtraReports.Web.ReportDesigner;
// ...
protected void Application_Start(object sender, EventArgs e) {
    DefaultReportDesignerContainer.RegisterSqlDataSourceWizardCustomizationService<CustomSqlDataSourceWizardCustomizationService>();
    // ...
}
Important

Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent execution of potentially harmful requests. For this reason, we strongly recommend that you implement your own validation logic that permits only execution of specific query kinds. To learn more, see the Provide Custom Query Validation in Report Designer document.

See Also