Enable Custom SQL in Report Designer

  • 2 min to read

This document describes how to allow users to specify custom SQL queries.

Important

Do not enable custom SQL if any untrusted parties have access to your application. Refer to the General Security Considerations document for more information.

To enable users to specify custom SQL queries in an ASP.NET WebForms or ASP.NET MVC application, call the static DefaultReportDesignerContainer.EnableCustomSql method on application start as shown in the code sample below.

using DevExpress.XtraReports.Web.ReportDesigner;
// ...
protected void Application_Start(object sender, EventArgs e) {
    DefaultReportDesignerContainer.EnableCustomSql();
    // ...
}

In an ASP.NET Core application, call the ReportDesignerConfigurationBuilder.EnableCustomSql method on application start as shown in the code sample below.

using DevExpress.AspNetCore;
using DevExpress.AspNetCore.Reporting;
//... 

public class Startup {
//... 
    public void ConfigureServices(IServiceCollection services) {
        services.AddDevExpressControls();
        services.AddMvc(); 

        services.ConfigureReportingServices(configurator => {
            configurator.ConfigureReportDesigner(designerConfigurator => {
                designerConfigurator.EnableCustomSql();
            });
        });
    }
//...
}
Important

Custom SQL queries are validated before their execution. The default validation mechanism only allows custom queries that contain SELECT statements (except for SELECT INTO clauses) but does not prevent the execution of potentially harmful requests. For this reason, we recommend that you implement your own validation logic that allows users to execute only specific queries. See the Provide Custom Query Validation in Report Designer document for more information.

See Also