Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Create End-User Reporting Applications > Web Reporting > Application Security > Data Access Security
A newer version of this page is available. .
All docs
V19.2
Reporting
Product Information
Get Started with DevExpress Reporting
Create Popular Reports
Detailed Guide to DevExpress Reporting
Visual Studio Report Designer
Create End-User Reporting Applications
Cross-Platform Reporting
WinForms Reporting
WPF Reporting
Web Reporting
General Information
ASP.NET WebForms Reporting
ASP.NET MVC Reporting
ASP.NET Core Reporting
JavaScript Reporting
Application Security
General Security Considerations
Data Access Security
Enable Custom SQL in Report Designer
Provide Custom Query Validation in Report Designer
End-User Documentation
WCF Report Service
Discontinued Platforms
Localization
Redistribution and Deployment
Reporting in .NET Core 3 (CTP)
API Reference
ASP.NET Core API Reference
Client API Reference
Client API Reference (WebForms & MVC)
Download CHM

Data Access Security

  • 3 minutes to read

This document describes how to ensure a secure access to data in your web reporting applications and lists approaches allowing you to customize the default security mechanisms.

Important

Default data access behavior of the End-User Report Designer is intended to provide a high level of database security.

We strongly recommend that you utilize the default behavior if your reporting application can be accessed by untrusted parties.

We also recommend that you use the access control functionality of your database management system to achieve the highest level of database security.

Data Connection Security

Before data source connection parameters are passed to the client, they are encrypted by default.

When the SQL Data Source wizard obtains connection strings from the Web.config file, only the connection name is serialized with the report definition.

You can register a custom connection string provider. Based on the registration mode you choose, all the connection parameters or the connection name only are serialized along with a report data source. When the report serialized with connection parameters is passed to the client, these parameters are encrypted by applying the MachineKey algorithm. To provide a custom encryption mechanism, use the ISecureDataConverter interface.

Database Security

Enabling Custom SQL

By default, the Data Source Wizard allows only visual constructing of SQL queries using the built-in Query Builder. Queries constructed using the Query Builder can only contain a SELECT statement and are guaranteed to be safe.

Manual editing of SQL queries is considered unsafe and is disabled by default. You can enable SQL editing at your own risk using the approach described in the following document: Enable Custom SQL in Report Designer

Important

Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent execution of potentially harmful requests. Before enabling this option, please make sure to apply a secure SQL validation that prevents execution of harmful requests.

It is also recommended that you utilize the access control functionality of your database management system to achieve the highest level of database security.

If this feature is enabled, custom SQL editing is available on the following SQL Data Source Wizard pages.

Restricting Access to Unauthorized Assemblies

Loading of custom assemblies that may be referenced by Entity Framework data sources is forbidden by default.

To permit loading a specific assembly, handle the EFDataSource.BeforeLoadCustomAssembly event (or static EFDataSource.BeforeLoadCustomAssemblyGlobal event) and specify the following properties of the BeforeLoadCustomAssemblyEventArgs object.

An unauthorized attempt to load a custom assembly will result in throwing a CustomAssemblyLoadingProhibitedException.