Breaking Change Advisory
Dec 3, 2015: SqlDataSource and Data Source Wizard
Affected Platforms
Affected Products:
- Dashboard
- Spreadsheet
- End-User Report Designer (Windows & Web)
- Snap (WinForms only)
- SqlDataSource when used as a standalone component
Affected Builds
- v15.2.3
- v15.1.9
- v14.2.11
- v14.1.12
How the Breaking Change Advisory Affects You and Your End-Users
IMPORTANT: We highly recommend that you take all precautions necessary to prevent inadvertent or unauthorized modifications to your data and/or database structure. Notwithstanding the changes described in this Breaking Change Advisory, you should secure your application, its data and associated database structure by following best practices and implementing end-user read/write privileges at the database level.
The following are 3 common scenarios wherein the breaking change described in the DevExpress Breaking Change advisory dated December 3, 2015 may affect you, your apps and end-users:
Your application UI allows end-users to use the built-in Data Source Wizard
The wizard is available when in the DevExpress Report Designer, Dashboard Designer, Snap, and Spreadsheet (mail merge feature).
You will now notice that the SQL query text field is read-only by default. End-users can use the Query Builder, but won't be able to edit the resulting string in the text editor.

If you want to allow manual SQL editing, you can switch the control's EnableCustomSql option. You will be asked to confirm your intent.

Once you make this change, the editor will allow your end-users to modify SQL strings, but will validate the queries that are entered. Only SELECT statements are allowed.

At your discretion, you can disable SQL command validation by implementing the ICustomQueryValidator interface. Both DevExpress Dashboard and DevExpress Report Designer have implemented this interface.
DevExpress Report Designer ships with a ValidateCustomSql event:

DevExpress Dashboard ships with a ValidateCustomSqlQuery event:

Should you wish to implement a similar event for DevExpress Spreadsheet and/or Snap, contact our support team via the DevExpress Support Center.
You Invoke the Data Source Wizard Manually
You're using SqlDataSource as a standalone component to display the Data Source Wizard for your custom controls
Much like the previous example, the SQL statement editor will be read-only by default. You can access options in code when you invoke the wizard. Here's how to enable the editor and invoke the Data Source Wizard:
DevExpress.DataAccess.UI.Sql.EditQueryContext context = new DevExpress.DataAccess.UI.Sql.EditQueryContext();
context.Options |= DevExpress.DataAccess.Wizard.SqlWizardOptions.EnableCustomSql;
DevExpress.DataAccess.UI.Sql.SqlDataSourceUIHelper.ConfigureConnection(sqlDataSource1);
bool result= DevExpress.DataAccess.UI.Sql.SqlDataSourceUIHelper.AddQuery(sqlDataSource1, context);
The same standard validation parser will restrict SQL commands and only allow use of SELECT statements. If you need to modify validation, you must handle the following event.

You Open a Previously Saved Layout File
Layout files generated by DevExpress designers may contain custom SQL queries
Let's assume you've created a data source for a Dashboard or a Report and then saved the layout. The file in question contains data connection settings within it. If you modify the file to include a SQL command other than SELECT, and attempt to load the document back into the dashboard, updated versions of DevExpress assemblies will validate the SQL when loaded.

Once again, validation restricts SQL commands to SELECT statements. If it fails, the DevExpress.DataAccess.Sql.CustomSqlQueryValidationException exception is thrown.
If you want to disable validation, we've included a static member in the SqlDataSource class:
DevExpress.DataAccess.Sql.SqlDataSource.DisableCustomQueryValidation = true;
If you want to skip SQL query execution altogether, we've included the following option:
DevExpress.DataAccess.Sql.SqlDataSource.AllowCustomSqlQueries = true;
To modify SQL validation algorithms, review our implementation or contact our support team via the DevExpress Support Center.