Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Reporting for Web > Common Features > Security > Custom SQL Query in Report Designer
All docs
V25.1
Reporting
Product Information
What's New
.NET Support
Get Started with DevExpress Reporting
Create Different Report Types (Walkthroughs)
Detailed Guide to DevExpress Reporting
Memory Usage in Reporting - Best Practices
Localize Reporting Applications
Security Considerations
AI-powered Extensions
Visual Studio Report Designer
VS Code Report Designer
Reporting for Desktop
Reporting for .NET MAUI
Reporting for Web
Common Features
Web Report Controls Architecture
Security
General Security Considerations
Authorized Access
Application Permissions
Data Access Security
Multi-Tenant Support
Custom SQL Query in Report Designer
Custom SQL Query Validation
Printing and Export
Accessibility
Integrate Document Viewer Components
Client-Side Functionality
Themes and Styles
Keyboard Shortcuts
Localization
Supported Browsers
Display Documents from the Report and Dashboard Server
Custom HTML Templates
Web Farm and Web Garden Support
Document Viewer for Web
End-User Report Designer for Web
Standalone Report Parameters Panel for Web
Web UI Development Bundles that Include Reports
Reporting for Blazor
Reporting for ASP.NET Core
Reporting for Angular
Reporting for React
Reporting for Knockout-based Applications
Reporting for Vue
Reporting for ASP.NET MVC
Reporting for ASP.NET Web Forms
Version Upgrade Guide
Troubleshooting
Reporting .NET Migration Guides
Cloud Integration
.NET Aspire Integration
Cross-Platform .NET App UI
Backend Web API Service / REST API for Reporting
WCF Report Service
End-User Documentation
Redistribution and Deployment
API Reference
ASP.NET Core API Reference
Blazor API Reference
Client API Reference
Client API Reference (Web Forms & MVC)
Download CHM

DevExpress v25.1 Update — Your Feedback Matters

Our What's New in v25.1 webpage includes product-specific surveys. Your response to our survey questions will help us measure product satisfaction for features released in this major update and help us refine our plans for our next major release.

Take the survey Not interested

Custom SQL Query in the Report Designer for Web

  • 3 minutes to read
In This Article
Enable Custom SQL Query
ASP.NET Web Forms or ASP.NET MVC
ASP.NET Core
Write Custom SQL Query
Use Data Source Wizard

Query Builder component users can create only secure SELECT SQL queries. You can allow users to create custom queries and edit SQL queries directly.

Important

The use of custom SQL queries can lead to inadvertent or unauthorized modifications to your data/database structure. The default validation mechanism only allows custom queries that contain SELECT statements (except for SELECT INTO clauses) and blocks any SQL keywords that can potentially be used for data modification (like REPLACE, UPDATE, INSERT, DELETE, and other SQL statements). Despite this precaution, this validation is not considered safe as it does not prevent the execution of potentially harmful requests.

We strongly recommend that you implement additional custom SQL query verification. However, do not use it as the only security precaution. Ensure that you follow best practices and implement the appropriate user read/write privileges at the database level.

#Enable Custom SQL Query

To allow users to specify custom SQL queries in a reporting web application, use the following code:

#ASP.NET Web Forms or ASP.NET MVC

Call the static DefaultReportDesignerContainer.EnableCustomSql method at application startup:

using DevExpress.XtraReports.Web.ReportDesigner;
// ...
protected void Application_Start(object sender, EventArgs e) {
    DefaultReportDesignerContainer.EnableCustomSql();
    // ...
}

#ASP.NET Core

Call the ReportDesignerConfigurationBuilder.EnableCustomSql method at application startup:

using DevExpress.AspNetCore;
using DevExpress.AspNetCore.Reporting;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddDevExpressControls();
builder.Services.AddMvc(); 

builder.Services.ConfigureReportingServices(configurator => {
    configurator.ConfigureReportDesigner(designerConfigurator => {
        designerConfigurator.EnableCustomSql();
    });
});

builder.Services.ConfigureReportingServices(configurator => {
    if(builder.Environment.IsDevelopment()) {
        configurator.UseDevelopmentMode();
    }
    configurator.ConfigureReportDesigner(designerConfigurator => {
    });
    configurator.ConfigureWebDocumentViewer(viewerConfigurator => {
        // Use cache for document generation and export.
        // This setting is necessary in asynchronous mode and when a report has interactive or drill-down features.
        viewerConfigurator.UseCachedReportSourceBuilder();
    });
});

var app = builder.Build();

#Write Custom SQL Query

#Use Data Source Wizard

In the Data Source Wizard Settings page, when custom SQL queries are enabled, the plus button invokes a context menu. Users can choose whether to run the Query Builder or write a custom SQL query.

web-report-designer-custom-sql-menu

web-report-designer-custom-sql-editor

#Use Field List

In the Field List click the web-designer-field-list-data-source-add-query button next to the data source name to invoke the Create a Query or Select a Stored Procedure dialog.

web-report-designer-field-list

When custom SQL queries are enabled, users can type a custom query.

web-report-designer-custom-sql-dswizard

#Custom SQL Query Validation

Custom SQL queries are validated before their execution.

Although the default validation mechanism only allows custom queries that contain SELECT statements (except for SELECT INTO clauses), it is not considered safe as it does not prevent execution of potentially harmful requests.

For this reason, we strongly recommend that you take the following actions:

  • Implement validation logic that allows users to execute only queries that meet certain criteria.
  • Implement the appropriate user read/write privileges at the database level.

See the following topic for details: Custom SQL Query Validation (Web).

See Also