Custom SQL Query Validation
- 3 minutes to read
This tutorial demonstrates how to provide validation for custom SQL queries that can be specified by an end-user when the SqlWizardSettings.EnableCustomSql property is enabled.
Important
Unrestricted execution of custom queries enables your end users to voluntarily modify a connected database. Avoid enabling this option unless you are absolutely certain about the expected results.
Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent execution of potentially harmful requests. For this reason, we strongly recommend that you implement your own validation logic that permits only execution of specific query kinds.
When providing a custom query validation, it is recommended that you do not reduce the default restrictions.
To enable unrestricted execution of custom queries (e.g., those containing DELETE, INSERT, PROCEDURE and UPDATE statements), set the static SqlDataSource.DisableCustomQueryValidation property to true.
Validate Custom Queries in the Data Source Wizard
To provide custom query validation in the Data Source wizard, do the following.
Select the Report Designer’s XRDesignMdiController in the component tray.
In the Properties window, double-click the XRDesignMdiController.ValidateCustomSql event to handle it.
An event handler will be automatically added to the code of the Report Designer’s parent form. In the event handler, define your custom query validation logic.
using DevExpress.XtraReports.UserDesigner; // ... private void reportDesigner1_ValidateCustomSql(object sender, ValidateSqlEventArgs e) { string sql = e.Sql; bool validationResult; // Insert your custom validation logic here. e.Valid = validationResult; }The event handler receives an event argument of the ValidateSqlEventArgs type containing the following properties.
- ValidateSqlEventArgs.ConnectionParameters - provides access to settings used to establish the current data connection.
- ValidateSqlEventArgs.Message - specifies the error message to display if query validation fails.
- ValidateSqlEventArgs.Sql - contains the SQL query to validate.
- ValidateSqlEventArgs.Valid - specifies whether the query is valid. By default, this property contains the result produced by the default validator.
Validate Custom Queries in the Report Designer’s Preview
To enable the execution of custom queries in a Report Designer’s Preview, handle the static SqlDataSource.ValidateCustomSqlQueryGlobal event of the SqlDataSource class.
using DevExpress.DataAccess;
using DevExpress.DataAccess.Sql;
// ...
SqlDataSource.ValidateCustomSqlQueryGlobal += SqlDataSource_ValidateCustomSqlQueryGlobal;
void SqlDataSource_ValidateCustomSqlQueryGlobal(object sender, ValidateCustomSqlQueryEventArgs e) {
CustomSqlQuery customQuery = e.CustomSqlQuery;
bool validationResult;
// Insert your custom validation logic here.
e.Valid = validationResult;
}
The event handler receives an event argument of the ValidateCustomSqlQueryEventArgs type containing the following properties.
- ValidateCustomSqlQueryEventArgs.CustomSqlQuery - gets a custom SQL query being validated.
- ValidateCustomSqlQueryEventArgs.ExceptionMessage - gets or sets the exception message returned after validation of the custom SQL query.
- ValidateCustomSqlQueryEventArgs.Valid - gets or sets whether or not the current SQL query is valid.
Note
To only enable the execution of specific custom queries in a Report Designer’s Preview, handle the SqlDataSource.ValidateCustomSqlQuery event of the corresponding SqlDataSource instance.
To restrict end-users from executing custom queries in a Print Preview, set the SqlDataSource.AllowCustomSqlQueries property to false.