Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Web Reporting > Application Security > Custom SQL Query in Report Designer
A newer version of this page is available. .
All docs
V20.2
Reporting
Product Information
Get Started with DevExpress Reporting
Create Reports
Detailed Guide to DevExpress Reporting
Visual Studio Report Designer
WinForms Reporting
WPF Reporting
Web Reporting
General Information
Document Viewer
Mobile Viewer UI
Report Designer
ASP.NET Web Forms Reporting
ASP.NET MVC Reporting
ASP.NET Core Reporting
JavaScript Reporting
Blazor Reporting
Client-Side API
Application Security
General Security Considerations
Authorized Access
Data Access Security
Custom SQL Query in Report Designer
Custom SQL Query Validation
Accessibility
End-User Documentation
WCF Report Service
Discontinued Platforms
Localize Reporting Applications
Redistribution and Deployment
Reporting in .NET Core 3.x and .NET 5
API Reference
ASP.NET Core API Reference
Blazor API Reference
Client API Reference
Client API Reference (Web Forms & MVC)
Download CHM

Custom SQL Query in Report Designer

  • 2 minutes to read

This document describes how to allow users to bypass the Query Builder in SQL query editing.

Enable Custom SQL Query

To allow users to specify custom SQL queries in a reporting web application, use the following code:

ASP.NET Web Forms or ASP.NET MVC

Call the static DefaultReportDesignerContainer.EnableCustomSql method on application start:

using DevExpress.XtraReports.Web.ReportDesigner;
// ...
protected void Application_Start(object sender, EventArgs e) {
   DefaultReportDesignerContainer.EnableCustomSql();
   // ...
}
ASP.NET Core

Call the ReportDesignerConfigurationBuilder.EnableCustomSql method on application start:

using DevExpress.AspNetCore;
using DevExpress.AspNetCore.Reporting;
//... 

public class Startup {
//... 
   public void ConfigureServices(IServiceCollection services) {
       services.AddDevExpressControls();
       services.AddMvc(); 

       services.ConfigureReportingServices(configurator => {
           configurator.ConfigureReportDesigner(designerConfigurator => {
               designerConfigurator.EnableCustomSql();
           });
       });
   }
//...
}

Important

Do not enable custom SQL queries if untrusted parties have access to your application. Refer to the following topic for more information: General Security Considerations.

Write Custom SQL Query

.

Custom SQL Query Validation

Custom SQL queries are validated before execution. The default validation mechanism allows only queries with SELECT statements (except for SELECT INTO clauses) but does not prevent execution of potentially harmful requests. To improve security, implement validation logic that allows users to execute only queries that meet certain criteria. Review the following topic for information on how to implement custom validation: Custom SQL Query Validation.

See Also