Custom SQL Query Validation
- 2 minutes to read
This tutorial demonstrates how to validate custom SQL queries in the End-User Report Designer.
Important
Unrestricted execution of custom queries enables end users to modify a connected database. Disable this option to prevent the execution of potentially malicious SQL statements.
Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), these statements cannot be considered safe as they do not prevent execution of potentially harmful requests. For this reason, we strongly recommend that you implement your own validation logic that permits only execution of specific query kinds.
When you implement custom query validation, it is recommended that you maintain the default restrictions.
To enable unrestricted execution of custom queries (for example, those containing DELETE, INSERT, PROCEDURE and UPDATE statements), set the static SqlDataSource.DisableCustomQueryValidation property to true.
Validate Custom Queries in the Report Designer’s Preview
Handle the static SqlDataSource.ValidateCustomSqlQueryGlobal event of the SqlDataSource class to enable the execution of custom queries in a Report Designer’s Preview.
using DevExpress.DataAccess;
using DevExpress.DataAccess.Sql;
// ...
SqlDataSource.ValidateCustomSqlQueryGlobal += SqlDataSource_ValidateCustomSqlQueryGlobal;
void SqlDataSource_ValidateCustomSqlQueryGlobal(object sender, ValidateCustomSqlQueryEventArgs e) {
CustomSqlQuery customQuery = e.CustomSqlQuery;
bool validationResult;
// Insert your custom validation logic here.
e.Valid = validationResult;
}
The event handler receives an event argument of the ValidateCustomSqlQueryEventArgs type that contains the following properties:
- ValidateCustomSqlQueryEventArgs.CustomSqlQuery - gets a custom SQL query that should be validated.
- ValidateCustomSqlQueryEventArgs.ExceptionMessage - gets or sets the exception message returned after the custom SQL query is validated.
- ValidateCustomSqlQueryEventArgs.Valid - gets or sets whether or not the current SQL query is valid.
Note
Handle the SqlDataSource.ValidateCustomSqlQuery event in a specific SqlDataSource instance to only enable the execution of specific custom queries in a Report Designer’s Preview.
To restrict end users from executing custom queries in Print Preview, set the SqlDataSource.AllowCustomSqlQueries property to false.