Breaking Change Advisory

Dec 3, 2015: SqlDataSource and Data Source Wizard

Affected Platforms

  • WinForms
  • WPF
  • ASP.NET/Web

Affected Products:

  • Dashboard
  • Spreadsheet
  • End-User Report Designer (Windows & Web)
  • Snap (WinForms only)
  • SqlDataSource when used as a standalone component

Affected Builds

  • v15.2.3
  • v15.1.9
  • v14.2.11
  • v14.1.12

How the Breaking Change Advisory Affects You and Your End-Users

IMPORTANT: We highly recommend that you take all precautions necessary to prevent inadvertent or unauthorized modifications to your data and/or database structure. Notwithstanding the changes described in this Breaking Change Advisory, you should secure your application, its data and associated database structure by following best practices and implementing end-user read/write privileges at the database level.

The following are 3 common scenarios wherein the breaking change described in the DevExpress Breaking Change advisory dated December 3, 2015 may affect you, your apps and end-users:

Your application UI allows end-users to use the built-in Data Source Wizard

The wizard is available when in the DevExpress Report Designer, Dashboard Designer, Snap, and Spreadsheet (mail merge feature).

You will now notice that the SQL query text field is read-only by default. End-users can use the Query Builder, but won't be able to edit the resulting string in the text editor.

Read-Only SQL Statement Editor

If you want to allow manual SQL editing, you can switch the control's EnableCustomSql option. You will be asked to confirm your intent.

EnableCustomSql Property

Once you make this change, the editor will allow your end-users to modify SQL strings, but will validate the queries that are entered. Only SELECT statements are allowed.

SELECT Statement Validation

At your discretion, you can disable SQL command validation by implementing the ICustomQueryValidator interface. Both DevExpress Dashboard and DevExpress Report Designer have implemented this interface.

DevExpress Report Designer ships with a ValidateCustomSql event:

Reports: ValidateCustomSql Event

DevExpress Dashboard ships with a ValidateCustomSqlQuery event:

Dashboard: ValidateCustomSqlQuery Event

Should you wish to implement a similar event for DevExpress Spreadsheet and/or Snap, contact our support team via the DevExpress Support Center.

You Invoke the Data Source Wizard Manually

You're using SqlDataSource as a standalone component to display the Data Source Wizard for your custom controls

Much like the previous example, the SQL statement editor will be read-only by default. You can access options in code when you invoke the wizard. Here's how to enable the editor and invoke the Data Source Wizard:

  • c#
                    DevExpress.DataAccess.UI.Sql.EditQueryContext context = new DevExpress.DataAccess.UI.Sql.EditQueryContext();
                    context.Options |=  DevExpress.DataAccess.Wizard.SqlWizardOptions.EnableCustomSql;
                    DevExpress.DataAccess.UI.Sql.SqlDataSourceUIHelper.ConfigureConnection(sqlDataSource1);
                    bool result= DevExpress.DataAccess.UI.Sql.SqlDataSourceUIHelper.AddQuery(sqlDataSource1, context);
                

The same standard validation parser will restrict SQL commands and only allow use of SELECT statements. If you need to modify validation, you must handle the following event.

SqlDataSource: Custom Validation

You Open a Previously Saved Layout File

Layout files generated by DevExpress designers may contain custom SQL queries

Let's assume you've created a data source for a Dashboard or a Report and then saved the layout. The file in question contains data connection settings within it. If you modify the file to include a SQL command other than SELECT, and attempt to load the document back into the dashboard, updated versions of DevExpress assemblies will validate the SQL when loaded.

Open Report Layout

Once again, validation restricts SQL commands to SELECT statements. If it fails, the DevExpress.DataAccess.Sql.CustomSqlQueryValidationException exception is thrown.

If you want to disable validation, we've included a static member in the SqlDataSource class:

  • c#
                    DevExpress.DataAccess.Sql.SqlDataSource.DisableCustomQueryValidation = true;
                

If you want to skip SQL query execution altogether, we've included the following option:

  • c#
                    DevExpress.DataAccess.Sql.SqlDataSource.AllowCustomSqlQueries = true;
                

To modify SQL validation algorithms, review our implementation or contact our support team via the DevExpress Support Center.