Custom SQL Query in Report Designer

  • 2 minutes to read

This document describes how to allow users to bypass the Query Builder in SQL query editing.

Enable Custom SQL Query

To allow users to specify custom SQL queries in a reporting web application, use the following code:

ASP.NET Web Forms or ASP.NET MVC

Call the static DefaultReportDesignerContainer.EnableCustomSql method on application start:

using DevExpress.XtraReports.Web.ReportDesigner;
// ...
protected void Application_Start(object sender, EventArgs e) {
   DefaultReportDesignerContainer.EnableCustomSql();
   // ...
}
ASP.NET Core

Call the ReportDesignerConfigurationBuilder.EnableCustomSql method on application start:

using DevExpress.AspNetCore;
using DevExpress.AspNetCore.Reporting;
//... 

public class Startup {
//... 
   public void ConfigureServices(IServiceCollection services) {
       services.AddDevExpressControls();
       services.AddMvc(); 

       services.ConfigureReportingServices(configurator => {
           configurator.ConfigureReportDesigner(designerConfigurator => {
               designerConfigurator.EnableCustomSql();
           });
       });
   }
//...
}
IMPORTANT

Do not enable custom SQL queries if untrusted parties have access to your application. Refer to the following topic for more information: General Security Considerations.

Write Custom SQL Query

.

Custom SQL Query Validation

Custom SQL queries are validated before execution. The default validation mechanism allows only queries with SELECT statements (except for SELECT INTO clauses) but does not prevent execution of potentially harmful requests. To improve security, implement validation logic that allows users to execute only queries that meet certain criteria. Review the following topic for information on how to implement custom validation: Custom SQL Query Validation.

See Also