Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Create End-User Reporting Applications > Web Reporting > Application Security > Enable Custom SQL in Report Designer
A newer version of this page is available. .
All docs
V19.2
Reporting
Product Information
Get Started with DevExpress Reporting
Create Popular Reports
Detailed Guide to DevExpress Reporting
Visual Studio Report Designer
Create End-User Reporting Applications
Cross-Platform Reporting
WinForms Reporting
WPF Reporting
Web Reporting
General Information
ASP.NET WebForms Reporting
ASP.NET MVC Reporting
ASP.NET Core Reporting
JavaScript Reporting
Application Security
General Security Considerations
Data Access Security
Enable Custom SQL in Report Designer
Provide Custom Query Validation in Report Designer
End-User Documentation
WCF Report Service
Discontinued Platforms
Localization
Redistribution and Deployment
Reporting in .NET Core 3 (CTP)
API Reference
ASP.NET Core API Reference
Client API Reference
Client API Reference (WebForms & MVC)
Download CHM

Enable Custom SQL in Report Designer

  • 2 minutes to read

This document describes how to allow users to specify custom SQL queries.

Important

Do not enable custom SQL if any untrusted parties have access to your application. Refer to the General Security Considerations document for more information.

To enable users to specify custom SQL queries in an ASP.NET WebForms or ASP.NET MVC application, call the static DefaultReportDesignerContainer.EnableCustomSql method on application start as shown in the code sample below.

using DevExpress.XtraReports.Web.ReportDesigner;
// ...
protected void Application_Start(object sender, EventArgs e) {
    DefaultReportDesignerContainer.EnableCustomSql();
    // ...
}

In an ASP.NET Core application, call the ReportDesignerConfigurationBuilder.EnableCustomSql method on application start as shown in the code sample below.

using DevExpress.AspNetCore;
using DevExpress.AspNetCore.Reporting;
//... 

public class Startup {
//... 
    public void ConfigureServices(IServiceCollection services) {
        services.AddDevExpressControls();
        services.AddMvc(); 

        services.ConfigureReportingServices(configurator => {
            configurator.ConfigureReportDesigner(designerConfigurator => {
                designerConfigurator.EnableCustomSql();
            });
        });
    }
//...
}

Important

Custom SQL queries are validated before their execution. The default validation mechanism only allows custom queries that contain SELECT statements (except for SELECT INTO clauses) but does not prevent the execution of potentially harmful requests. For this reason, we recommend that you implement your own validation logic that allows users to execute only specific queries. See the Provide Custom Query Validation in Report Designer document for more information.

See Also