Skip to main content

DevExpress v25.1 Update — Your Feedback Matters

Our What's New in v25.1 webpage includes product-specific surveys. Your response to our survey questions will help us measure product satisfaction for features released in this major update and help us refine our plans for our next major release.

Take the survey Not interested

Custom SQL Query in Report Designer (WinForms)

  • 3 minutes to read

This document describes how to allow users to edit SQL queries in the Data Source Wizard of the End-User Report Designer for WinForms.

Important

The use of custom SQL queries can lead to inadvertent or unauthorized modifications to your data/database structure. The default validation mechanism only allows custom queries that contain SELECT statements (except for SELECT INTO clauses) and blocks any SQL keywords that can potentially be used for data modification (like REPLACE, UPDATE, INSERT, DELETE, and other SQL statements). Despite this precaution, this validation is not considered safe as it does not prevent the execution of potentially harmful requests.

We strongly recommend that you implement additional custom SQL query verification. However, do not use it as the only security precaution. Ensure that you follow best practices and implement the appropriate user read/write privileges at the database level.

#How to Enable Custom SQL

Do the following to allow users to edit SQL queries:

  1. Select the reportDesigner1 component (XRDesignMdiController) in the component tray:

    WinForms-report-designer-select-mdi-controller-ribbon

  2. In the Properties window, expand the XRDesignMdiController.SqlWizardSettings complex property and set the SqlWizardSettings.EnableCustomSql property to true.

    WinForms-report-designer-enable-custom-sql

    The following warning appears before you change the EnableCustomSql property value:

    WinForms-report-designer-enable-custom-sql-warning

In code, use the SqlWizardOptions.EnableCustomSql property.

#SQL Editing Enabled in Query Editor

  1. Load a report in the Report Designer, or create a new report bound to the SQL data source. In the Report Explorer window, select Manage Queries:

    WinForms-report-designer-manage-queries

  2. In the Manage Queries window, click Edit SQL :

    WinForms-report-designer-manage-queries-window

  3. You can manually edit the query:

    WinForms-report-designer-query-editor-edit-sql-window

  4. If you enter a query that does not use SELECT, and click OK, the following message appears, preventing you from saving the query:

    WinForms-report-designer-custom-sql-query-validation-warning

#SQL Editing Enabled in Query Builder

Invoke the Data Source Wizard and navigate to the query creation page. On this page, click the report-wizard-multi-query-page-icon-add button for the Queries category to create a new query using the Query Builder.

report-wizard-invoke-query-builder

The Allow Edit SQL option is now available in the Query Builder. If a user switches to this mode, the visual features of the Query Builder are disabled in favor of the specified SQL string value.

eud-query-builder-custom-sql

#Validate Custom SQL Queries

Custom SQL queries are validated before their execution.

Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent execution of potentially harmful requests.

For this reason, we strongly recommend that you take the following actions:

  • Implement validation logic that allows users to execute only queries that meet certain criteria.
  • Implement the appropriate user read/write privileges at the database level.

See the following topic for details: Custom SQL Query Validation (WinForms).

See Also