Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Reporting for Desktop > Reporting for WinForms > Application Security > Custom SQL Query Validation
All docs
V23.2
Reporting
Product Information
.NET / .NET Core Support
Get Started with DevExpress Reporting
Create Different Report Types (Walkthroughs)
Detailed Guide to DevExpress Reporting
Localize Reporting Applications
Security Considerations
Visual Studio Report Designer
VS Code Report Designer
Reporting for Desktop
Reporting for WinForms
Print API
Print Preview
End-User Report Designer
Application Security
Ensure Safe Loading of Reports
Data Access Security
Custom SQL Query in Report Designer
Custom SQL Query Validation
Application Appearance
Application Deployment
WinForms UI Development Bundles that Include Reports
Localization
Reporting for WPF
Reporting for WinUI
Reporting for .NET MAUI
Reporting for Web
Cloud Integration
Cross-Platform .NET App UI
Backend Web API Service / REST API for Reporting
WCF Report Service
End-User Documentation
Redistribution and Deployment
API Reference
ASP.NET Core API Reference
Blazor API Reference
Client API Reference
Client API Reference (Web Forms & MVC)
Download CHM

Custom SQL Query Validation (WinForms)

  • 3 minutes to read

This tutorial describes how to implement validation for custom SQL queries.

Important

Unrestricted execution of custom queries enables your users to voluntarily modify a connected database. Avoid enabling this option unless you are certain about the expected results.

Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent the execution of potentially harmful requests. We recommend that you implement your own validation logic that permits only the execution of specific query types.

Do not reduce the default restrictions when implementing query validation.

To enable unrestricted execution of custom queries (for example, those containing DELETE, INSERT, PROCEDURE, and UPDATE statements), set the static SqlDataSource.DisableCustomQueryValidation property to true.

Validate Custom Queries in the Data Source Wizard

To implement custom query validation in the Data Source wizard, do the following:

  1. Select the Report Designer’s XRDesignMdiController in the component tray.

    winforms-report-designer-select-mdi-controller-bars

  2. In the Properties window, double-click the XRDesignMdiController.ValidateCustomSql event to handle it.

    winforms-report-designer-validate-custom-sql

  3. An event handler will be automatically added to the code of the Report Designer’s parent form. In the event handler, define your custom query validation logic.

    using DevExpress.XtraReports.UserDesigner;
// ...
private void reportDesigner1_ValidateCustomSql(object sender, ValidateSqlEventArgs e) {
    string sql = e.Sql;
    bool validationResult;
    // Insert your custom validation logic here.
    e.Valid = validationResult;
}

Validate Custom Queries in the Report Designer Preview

To validate custom queries in the Report Designer Preview, handle the static SqlDataSource.ValidateCustomSqlQueryGlobal event of the SqlDataSource class. This event occurs for all SQL data sources in the application.

You can validate custom queries in the Report Designer Preview for the specified SQL data source rather than globally. For this, handle the SqlDataSource.ValidateCustomSqlQuery event of the SqlDataSource instance.

using DevExpress.DataAccess;
using DevExpress.DataAccess.Sql;
// ...

SqlDataSource.ValidateCustomSqlQueryGlobal += SqlDataSource_ValidateCustomSqlQueryGlobal;

void SqlDataSource_ValidateCustomSqlQueryGlobal(object sender, ValidateCustomSqlQueryEventArgs e) {
    CustomSqlQuery customQuery = e.CustomSqlQuery;
    bool validationResult;
    // Insert your custom validation logic here.
    e.Valid = validationResult;
}

Note

To prevent end users from running custom queries in a Print Preview, set the SqlDataSource.AllowCustomSqlQueries property to false.

See Also