ContextQMD
Back to Devexpress

ICustomQueryValidator Interface

corelibraries-devexpress-dot-dataaccess-dot-wizard-dot-services-5f823c93.md

latest7.9 KB
Original Source

ICustomQueryValidator Interface

Implements custom validation logic for SQL queries.

Namespace : DevExpress.DataAccess.Wizard.Services

Assembly : DevExpress.DataAccess.v25.2.dll

NuGet Package : DevExpress.DataAccess

Declaration

csharp
public interface ICustomQueryValidator
vb
Public Interface ICustomQueryValidator

The following members return ICustomQueryValidator objects:

LibraryRelated API Members
Cross-Platform Class LibraryISqlDataSourceWizardCustomizationService.CustomQueryValidator
WinForms ControlsEditQueryContext.QueryValidator
QueryBuilderEditQueryContext.CustomQueryValidator

Remarks

Important

The use of custom SQL queries can lead to inadvertent or unauthorized modifications to your data/database structure. Although the default validation mechanism only allows custom queries containing SELECT statements (except for SELECT INTO clauses), it cannot be considered safe as it does not prevent the execution of potentially harmful requests.

We strongly recommend that you implement additional custom SQL query verification. However, do not use it as the only security precaution. Ensure that you follow best practices and implement the appropriate user read/write privileges at the database level. By setting permissions within the database, you ensure that only authorized users and processes can access or modify data.

A user can write custom SQL queries in the SQL Data Source Wizard if custom SQL editing is enabled.

When a user saves a custom SQL query, the validation service processes the query text. The default validation service allows only queries with SELECT statements (except for SELECT INTO clauses).

A custom validation service implements the ISqlDataSourceWizardCustomizationService interface. To integrate this validator into your application, implement the ICustomQueryValidator interface and assign your custom validator to its CustomQueryValidator property.

Warning

If you implement and register a custom validation service, the End-User Report Designer uses the ISqlDataSourceWizardCustomizationService.IsCustomSqlDisabled property value to determine whether to enable custom SQL. The EnableCustomSql method is unnecessary.

The following code illustrates how to implement the validator and the service:

csharp
using DevExpress.DataAccess.ConnectionParameters;
using DevExpress.DataAccess.Wizard.Services;
using DevExpress.DataAccess.Web;
// ...

public class MyCustomValidator : ICustomQueryValidator {
    public bool Validate(DataConnectionParametersBase connectionParameters, string sql, ref string message) {
        // Add your custom validation logic here.
        // Return true if the query is valid; otherwise, return false.
    }
}

public class CustomSqlDataSourceWizardCustomizationService : ISqlDataSourceWizardCustomizationService {
    public ICustomQueryValidator CustomQueryValidator {
        get { return new MyCustomValidator(); }
    }

    public bool IsCustomSqlDisabled {
        get { return false; }
    }
}
vb
Imports DevExpress.DataAccess.ConnectionParameters
Imports DevExpress.DataAccess.Wizard.Services
Imports DevExpress.DataAccess.Web
' ...

Public Class MyCustomValidator
    Implements ICustomQueryValidator
    Public Function Validate(ByVal connectionParameters As DataConnectionParametersBase, ByVal sql As String, ByRef message As String) As Boolean
        ' Add your custom validation logic here.
        ' Return true if the query is valid; otherwise, return false.
    End Function
End Class

Public Class CustomSqlDataSourceWizardCustomizationService
    Implements ISqlDataSourceWizardCustomizationService
    Public ReadOnly Property CustomQueryValidator() As ICustomQueryValidator
        Get
            Return New MyCustomValidator()
        End Get
    End Property

    Public ReadOnly Property IsCustomSqlDisabled() As Boolean
        Get
            Return False
        End Get
    End Property
End Class

Once complete, you should register the service in your application. Call the control’s RegisterSqlDataSourceWizardCustomizationService method to register the service for DevExpress Reports:

ASP.NET Web Forms or ASP.NET MVC

Call the static DefaultReportDesignerContainer.RegisterSqlDataSourceWizardCustomizationService<T> method at application startup:

csharp
using DevExpress.XtraReports.Web.ReportDesigner;

protected void Application_Start(object sender, EventArgs e) {
    DefaultReportDesignerContainer.RegisterSqlDataSourceWizardCustomizationService<CustomSqlDataSourceWizardCustomizationService>();
}
vb
Imports DevExpress.XtraReports.Web.ReportDesigner

Protected Sub Application_Start(ByVal sender As Object, ByVal e As EventArgs)
    DefaultReportDesignerContainer.RegisterSqlDataSourceWizardCustomizationService(Of CustomSqlDataSourceWizardCustomizationService)()
End Sub

ASP.NET Core

Call the ReportDesignerConfigurationBuilder.RegisterSqlDataSourceWizardCustomizationService method in the application startup file:

csharp
using DevExpress.AspNetCore;
using DevExpress.AspNetCore.Reporting;

var builder = WebApplication.CreateBuilder(args);

builder.Services.ConfigureReportingServices(configurator => {
    configurator.ConfigureReportDesigner(designerConfigurator => {
        designerConfigurator.RegisterDataSourceWizardConfigFileConnectionStringsProvider();
        designerConfigurator.RegisterSqlDataSourceWizardCustomizationService<CustomSqlDataSourceWizardCustomizationService>();
    });
});

var app = builder.Build();

This configuration ensures that any custom SQL queries entered by users are validated according to your specified rules before execution.​

See Also

ICustomQueryValidator Members

CustomQueryValidator

Custom SQL Query in the Report Designer for Web

Custom SQL Query Validation (Web)

DevExpress.DataAccess.Wizard.Services Namespace