Custom SQL Query in Report Designer
- 2 minutes to read
This document describes how to allow users to manually edit SQL queries in the Data Source Wizard of the End-User Report Designer for WinForms.
For security reasons, you should not allow users to edit SQL queries if your reporting application can be accessed by untrusted parties. Refer to the following topic for more information: Data Access Security.
How to Enable Custom SQL
Do the following to allow users to edit SQL queries:
Select the Report Designer’s XRDesignMdiController in the component tray.
The following warning appears before you change the EnableCustomSql property value:
SQL Editing Enabled in Query Editor
Load a report in the Report Designer, or create a new report bound to the SQL data source. In the Report Explorer window, select Manage Queries:
In the Manage Queries window, click the ellipsis button to edit the selected query:
You can manually edit the query in the invoked Query Editor window:
If you enter a non-select query, the following error is displayed when you click Next:
SQL Editing Enabled in Query Builder
The Allow Edit SQL option is now available in the Query Builder. If a user switches to this mode, the visual features of the Query Builder are disabled in favor of the specified SQL string value.
Custom SQL queries are validated before their execution.
Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent execution of potentially harmful requests.
For this reason, we strongly recommend that you implement your own validation logic that permits only execution of specific query kinds.
See the following topic to learn more: Provide Custom Query Validation in Report Designer.