All docs
V21.1
21.2 (EAP/Beta)
The page you are viewing does not exist in version 21.2. This link will take you to the root page.
21.1
20.2
The page you are viewing does not exist in version 20.2. This link will take you to the root page.
20.1
The page you are viewing does not exist in version 20.1. This link will take you to the root page.
19.2
The page you are viewing does not exist in version 19.2. This link will take you to the root page.
19.1
The page you are viewing does not exist in version 19.1. This link will take you to the root page.
18.2
The page you are viewing does not exist in version 18.2. This link will take you to the root page.
18.1
The page you are viewing does not exist in version 18.1. This link will take you to the root page.
17.2
The page you are viewing does not exist in version 17.2. This link will take you to the root page.

Custom SQL Query Validation

  • 2 minutes to read

This tutorial demonstrates how to validate custom SQL queries in the End-User Report Designer.

Important

Unrestricted execution of custom queries enables end users to modify a connected database. Disable this option to prevent the execution of potentially malicious SQL statements.

Custom SQL queries are validated before their execution. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), these statements cannot be considered safe as they do not prevent execution of potentially harmful requests. For this reason, we strongly recommend that you implement your own validation logic that permits only execution of specific query kinds.

When you implement custom query validation, it is recommended that you maintain the default restrictions.

To enable unrestricted execution of custom queries (for example, those containing DELETE, INSERT, PROCEDURE and UPDATE statements), set the static SqlDataSource.DisableCustomQueryValidation property to true.

Validate Custom Queries in the Report Designer’s Preview

Handle the static SqlDataSource.ValidateCustomSqlQueryGlobal event of the SqlDataSource class to enable the execution of custom queries in a Report Designer’s Preview.

using DevExpress.DataAccess;
using DevExpress.DataAccess.Sql;
// ...

SqlDataSource.ValidateCustomSqlQueryGlobal += SqlDataSource_ValidateCustomSqlQueryGlobal;

void SqlDataSource_ValidateCustomSqlQueryGlobal(object sender, ValidateCustomSqlQueryEventArgs e) {
    CustomSqlQuery customQuery = e.CustomSqlQuery;
    bool validationResult;
    // Insert your custom validation logic here.
    e.Valid = validationResult;
}

The event handler receives an event argument of the ValidateCustomSqlQueryEventArgs type that contains the following properties:

Note

Handle the SqlDataSource.ValidateCustomSqlQuery event in a specific SqlDataSource instance to only enable the execution of specific custom queries in a Report Designer’s Preview.

To restrict end users from executing custom queries in Print Preview, set the SqlDataSource.AllowCustomSqlQueries property to false.