Skip to main content
BuyLog In
.NET Reporting Tools
Search in…
Docs > Reporting for Desktop > Reporting for WPF > Application Security > Custom SQL Query in the Report Designer
All docs
V24.2
Reporting
Product Information
What's New
.NET Support
Get Started with DevExpress Reporting
Create Different Report Types (Walkthroughs)
Detailed Guide to DevExpress Reporting
Memory Usage in Reporting - Best Practices
Localize Reporting Applications
Security Considerations
AI-powered Extensions
Visual Studio Report Designer
VS Code Report Designer
Reporting for Desktop
Accessibility
Reporting for WinForms
Reporting for WPF
Print
Document Preview
End-User Report Designer
Application Security
Ensure Safe Loading of Reports
Data Access Security
Custom SQL Query in the Report Designer
Custom SQL Query Validation
Application Appearance
Application Deployment
WPF UI Development Bundles that Include Reports
Localization
Reporting for WinUI
Reporting for .NET MAUI
Reporting for Web
Reporting .NET Migration Guides
Cloud Integration
.NET Aspire Integration
Cross-Platform .NET App UI
Backend Web API Service / REST API for Reporting
WCF Report Service
End-User Documentation
Redistribution and Deployment
API Reference
ASP.NET Core API Reference
Blazor API Reference
Client API Reference
Client API Reference (Web Forms & MVC)
Download CHM

Custom SQL Query in the Report Designer for WPF

  • 2 minutes to read

This document describes how to allow users to edit SQL query text in the End-User Report Designer‘s Data Source Wizard.

Important

For security reasons, do not allow users to edit SQL queries if there is a chance that untrusted parties can access your reporting application. Refer to the following topic for more information: Data Access Security in WPF Applications.

How to Enable Custom SQL

Specify the ReportDesigner component’s EnableCustomSql property to allow users to edit SQL queries:

<dxrud:ReportDesigner Name="reportDesigner">  
    <dxrud:ReportDesigner.DataSourceWizardSettings>  
        <dxda:DataSourceWizardSettings SqlWizardSettings="{dxda:SqlWizardSettings EnableCustomSql=True}" />  
    </dxrud:ReportDesigner.DataSourceWizardSettings>  
</dxrud:ReportDesigner>

Edit SQL in the Data Source Wizard

  1. Load a report in the Report Designer or create a new report bound to an SQL data source. In the Report Explorer window, select Manage Queries:

    wpf-report-designer-manage-queries

  2. In the Manage Queries window, click the ellipsis button to edit the selected query:

    wpf-report-designer-edit-query

  3. You can edit the query in the invoked Query Editor window:

    wpf-report-designer-edit-query-manually

  4. If you enter a query other than SELECT, the following error is displayed when you click Next:

    wpf-report-designer-edit-query-warning

Edit SQL in the Query Builder

Invoke the Data Source Wizard and navigate to the query creation page. On this page, click the Queries category’s plus button to create a new query in the Query Builder.

wpf-report-wizard-invoke-query-builder

The Allow Edit SQL option is now available in the Query Builder. If a user switches to this mode, the visual features of the Query Builder are disabled in favor of the specified SQL string value.

wpf-report-designer-allow-edit-sql

Validate Custom SQL Queries

Custom SQL queries are validated before their execution.

Although the default validation mechanism only allows custom queries that contain SELECT statements (except for SELECT INTO clauses), it is not considered safe as it does not prevent execution of potentially harmful requests.

For this reason, we strongly recommend that you take the following actions:

  • Implement validation logic that allows users to execute only queries that meet certain criteria.
  • Implement the appropriate user read/write privileges at the database level.

See the following topic for details: Custom SQL Query Validation (WPF).