Breaking Change Advisory

Dec 3, 2015: SqlDataSource and Data Source Wizard

Affected Platforms

• WinForms
• WPF
• ASP.NET/Web

Affected Products:

• Dashboard
• Spreadsheet
• End-User Report Designer (Windows & Web)
• Snap (WinForms only)
• SqlDataSource when used as a standalone component

Affected Builds

• v15.2.3
• v15.1.9
• v14.2.11
• v14.1.12

How the Breaking Change Advisory Affects You and Your End-Users

IMPORTANT: We highly recommend that you take all precautions necessary to prevent inadvertent or unauthorized modifications to your data and/or database structure. Notwithstanding the changes described in this Breaking Change Advisory, you should secure your application, its data and associated database structure by following best practices and implementing end-user read/write privileges at the database level.

The following are 3 common scenarios wherein the breaking change described in the DevExpress Breaking Change advisory dated December 3, 2015 may affect you, your apps and end-users:

You will now notice that the SQL query text field is read-only by default. End-users can use the Query Builder, but won't be able to edit the resulting string in the text editor.

If you want to allow manual SQL editing, you can switch the control's EnableCustomSql option. You will be asked to confirm your intent.

Once you make this change, the editor will allow your end-users to modify SQL strings, but will validate the queries that are entered. Only SELECT statements are allowed.

At your discretion, you can disable SQL command validation by implementing the ICustomQueryValidator interface. Both DevExpress Dashboard and DevExpress Report Designer have implemented this interface.

DevExpress Report Designer ships with a ValidateCustomSql event:

DevExpress Dashboard ships with a ValidateCustomSqlQuery event:

Should you wish to implement a similar event for DevExpress Spreadsheet and/or Snap, contact our support team via the DevExpress Support Center.

Much like the previous example, the SQL statement editor will be read-only by default. You can access options in code when you invoke the wizard. Here's how to enable the editor and invoke the Data Source Wizard:

                    DevExpress.DataAccess.UI.Sql.EditQueryContext context = new DevExpress.DataAccess.UI.Sql.EditQueryContext();
                    context.Options |=  DevExpress.DataAccess.Wizard.SqlWizardOptions.EnableCustomSql;
                    DevExpress.DataAccess.UI.Sql.SqlDataSourceUIHelper.ConfigureConnection(sqlDataSource1);
                    bool result= DevExpress.DataAccess.UI.Sql.SqlDataSourceUIHelper.AddQuery(sqlDataSource1, context);

The same standard validation parser will restrict SQL commands and only allow use of SELECT statements. If you need to modify validation, you must handle the following event.

Let's assume you've created a data source for a Dashboard or a Report and then saved the layout. The file in question contains data connection settings within it. If you modify the file to include a SQL command other than SELECT, and attempt to load the document back into the dashboard, updated versions of DevExpress assemblies will validate the SQL when loaded.

Once again, validation restricts SQL commands to SELECT statements. If it fails, the DevExpress.DataAccess.Sql.CustomSqlQueryValidationException exception is thrown.

If you want to disable validation, we've included a static member in the SqlDataSource class:

                    DevExpress.DataAccess.Sql.SqlDataSource.DisableCustomQueryValidation = true;

If you want to skip SQL query execution altogether, we've included the following option:

                    DevExpress.DataAccess.Sql.SqlDataSource.AllowCustomSqlQueries = true;

To modify SQL validation algorithms, review our implementation or contact our support team via the DevExpress Support Center.