Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Reporting for Desktop > Reporting for WinForms > Application Security > Custom SQL Query in Report Designer
All docs
V24.1
Reporting
Product Information
.NET / .NET Core Support
Get Started with DevExpress Reporting
Create Different Report Types (Walkthroughs)
Detailed Guide to DevExpress Reporting
Memory Usage in Reporting - Best Practices
Localize Reporting Applications
Security Considerations
Visual Studio Report Designer
VS Code Report Designer
Reporting for Desktop
Accessibility
Reporting for WinForms
Print API
Print Preview
End-User Report Designer
Application Security
Ensure Safe Loading of Reports
Data Access Security
Custom SQL Query in Report Designer
Custom SQL Query Validation
Application Appearance
Application Deployment
WinForms UI Development Bundles that Include Reports
Localization
Reporting for WPF
Reporting for WinUI
Reporting for .NET MAUI
Reporting for Web
Cloud Integration
Cross-Platform .NET App UI
Backend Web API Service / REST API for Reporting
WCF Report Service
End-User Documentation
Redistribution and Deployment
API Reference
ASP.NET Core API Reference
Blazor API Reference
Client API Reference
Client API Reference (Web Forms & MVC)
Download CHM

Custom SQL Query in Report Designer (WinForms)

  • 3 minutes to read

This document describes how to allow users to edit SQL queries in the Data Source Wizard of the End-User Report Designer for WinForms.

Important

Unrestricted execution of custom queries enables your users to voluntarily modify a connected database. Avoid enabling this option unless you are certain about the expected results.

Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent the execution of potentially harmful requests. We recommend that you implement your own validation logic that permits only the execution of specific query types.

Do not reduce the default restrictions when implementing query validation.

To enable unrestricted execution of custom queries (for example, those containing DELETE, INSERT, PROCEDURE, and UPDATE statements), set the static SqlDataSource.DisableCustomQueryValidation property to true.

How to Enable Custom SQL

Do the following to allow users to edit SQL queries:

  1. Select the reportDesigner1 component (XRDesignMdiController) in the component tray:

    winforms-report-designer-select-mdi-controller-ribbon

  2. In the Properties window, expand the XRDesignMdiController.SqlWizardSettings complex property and set the SqlWizardSettings.EnableCustomSql property to true.

    winforms-report-designer-enable-custom-sql

    The following warning appears before you change the EnableCustomSql property value:

    winforms-report-designer-enable-custom-sql-warning

SQL Editing Enabled in Query Editor

  1. Load a report in the Report Designer, or create a new report bound to the SQL data source. In the Report Explorer window, select Manage Queries:

    winforms-report-designer-manage-queries

  2. In the Manage Queries window, click Edit SQL :

    winforms-report-designer-manage-queries-window

  3. You can manually edit the query:

    winforms-report-designer-query-editor-edit-sql-window

  4. If you enter a query that does not use SELECT, and click OK, the following message appears, preventing you from saving the query:

    winforms-report-designer-custom-sql-query-validation-warning

SQL Editing Enabled in Query Builder

Invoke the Data Source Wizard and navigate to the query creation page. On this page, click the report-wizard-multi-query-page-icon-add button for the Queries category to create a new query using the Query Builder.

report-wizard-invoke-query-builder

The Allow Edit SQL option is now available in the Query Builder. If a user switches to this mode, the visual features of the Query Builder are disabled in favor of the specified SQL string value.

eud-query-builder-custom-sql

Important

Custom SQL queries are validated before their execution.

Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent execution of potentially harmful requests.

For this reason, we strongly recommend that you implement your own validation logic that permits only execution of specific query kinds.

See the following topic to learn more: Provide Custom Query Validation in Report Designer.

See Also