Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Create End-User Reporting Applications > Web Reporting > Application Security > Enable Custom SQL in Report Designer
A newer version of this page is available. .
All docs
V18.2
Reporting
Product Information
Get Started with DevExpress Reporting
Create Popular Reports
Detailed Guide to DevExpress Reporting
Visual Studio Report Designer
Create End-User Reporting Applications
Cross-Platform Reporting
WinForms Reporting
WPF Reporting
Web Reporting
General Information
ASP.NET WebForms Reporting
ASP.NET MVC Reporting
ASP.NET Core Reporting
JavaScript Reporting
Application Security
General Security Considerations
Data Access Security
Enable Custom SQL in Report Designer
Provide Custom Query Validation in Report Designer
End-User Documentation
WCF Report Service
Discontinued Platforms
Localization
Redistribution and Deployment
API Reference
ASP.NET Core API Reference
Download CHM

Enable Custom SQL in Report Designer

  • 2 minutes to read

This document describes how to enable custom SQL editing on the query creation page of the SQL Data Source Wizard.

web-report-designer-custom-sql

Important

For security reasons, enabling custom SQL editing is not recommended if your web reporting application can be accessed by untrusted parties. Refer to the General Security Considerations document for more information.

To enable custom SQL editing, call the static DefaultReportDesignerContainer.EnableCustomSql method on application start as shown in the code sample below.

using DevExpress.XtraReports.Web.ReportDesigner;
// ...
protected void Application_Start(object sender, EventArgs e) {
    DefaultReportDesignerContainer.EnableCustomSql();
    // ...
}

You can also accomplish this task by implementing an ISqlDataSourceWizardCustomizationService. The ISqlDataSourceWizardCustomizationService.IsCustomSqlDisabled property indicates whether or not custom SQL editing should be disabled by default.

using DevExpress.DataAccess.Web;
// ...
public class CustomSqlDataSourceWizardCustomizationService : ISqlDataSourceWizardCustomizationService {
    public DevExpress.DataAccess.Wizard.Services.ICustomQueryValidator CustomQueryValidator {
        get { return new MyCustomQueryValidator(); }
    }

    public bool IsCustomSqlDisabled {
        get { return false; } // Enable custom SQL editing.
    }
}

To register custom SQL Data Source Wizard customization service, pass it as a type parameter to the static DefaultReportDesignerContainer.RegisterSqlDataSourceWizardCustomizationService<T> method on application start.

using DevExpress.XtraReports.Web.ReportDesigner;
// ...
protected void Application_Start(object sender, EventArgs e) {
    DefaultReportDesignerContainer.RegisterSqlDataSourceWizardCustomizationService<CustomSqlDataSourceWizardCustomizationService>();
    // ...
}

Important

Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent execution of potentially harmful requests. For this reason, we strongly recommend that you implement your own validation logic that permits only execution of specific query kinds. To learn more, see the Provide Custom Query Validation in Report Designer document.

See Also