This is not the best way, or any way a good way of storing your application's actual business logic (the SQL queries) in an XML file, any user if able to bypass your authentication would easily be able to read the content of this file, and upon a single command of SQL Injection, he could possibly delete all of your data and/or delete the schema of your database. Too bad approach.
Another major thing that this is a bad way, is that it would require double time by your developers; if you're having a team. It would first require them to deserialize the XML into an object, and then using its nodes and members you should have to extract the string of commands and then execute them. Too much wastage of machine cycles.
A good way of doing this would be, to remember the foreign keys; a good developer must know how the schema of his database is defined. Secondly, the commands must be in your actual logic page; no where else. Since you're talking about ASP.NET. I would guide you to leave these methods and use MVC framework, which has a few patterns that you can use to secure your web application. You can read
this article[
^] to learn more on this framework.