How do I efficently delete from multiple tables

Question

0.00/5 (No votes)

See more:

I have 5 tables I am currently deleting from. Here is how they all are setup:

For Each dgvr As DataGridViewRow In DataGridView1.SelectedRows
 Using sqlcon As New SqlConnection(connectionstring + ComboBox1.Text + ".mdf;Integrated Security=True")
                    Try
                       sqlcon.Open()
                        Dim Sources As String = "Delete from " + "[Profile]" + " where Id = @ID"

                        Dim cmd As SqlClient.SqlCommand
                        cmd = New SqlClient.SqlCommand(Sources, sqlcon)
                        cmd.Parameters.AddWithValue("@ID", dgvr.Cells(0).Value.ToString)

                        cmd.ExecuteNonQuery()

                        sqlcon.Close()

                    Catch ex As Exception

                    End Try

                End Using
Next

The only difference when deleting from the other tables is the ID is individual_ID, but it is a reference to the initial ID. However, I still use the dgvr.Cells(0).Value.ToString

I tried a batch of about 8,000 to delete and it takes about 20 minutes to delete such a small batch.

any suggestions?

What I have tried:

I have tried to use a join statement, however, when I tried to run the code the statement never fired. So, I assumed that either the statement was wrong or vb.net has a hard time understanding the join code.

Posted 31-Aug-18 5:12am

Member 11856456

Updated 14-Sep-18 8:02am

v2

Add a Solution

Comments

Richard Deeming 31-Aug-18 11:37am

Your code is potentially vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

Richard Deeming 31-Aug-18 11:38am

Do you have foreign keys set up on the tables with ON DELETE CASCADE set?

Member 11856456 31-Aug-18 11:47am

I have no foreign keys set up on any table, mainly because people have to work around them. Would people still be able to use an SQL injection since the code requires selection of rows and nothing to be typed in?

Richard Deeming 31-Aug-18 11:51am

If the keys are definitely integers, and the user definitely can't type in the cell, then you should be safe in this instance.

But it's a good habit to always use parameters anyway. It can help with performance - SQL can re-use a cached query plan, rather than creating a new query plan for each different value. And you'll avoid vulnerabilities in the future if the assumptions change, but you forget to update the code accordingly. :)

Member 11856456 31-Aug-18 12:01pm

I have changed my code, I have now included a parameterized statement. Please review the code above. However, I do not understand the cached query plan. Can you give me an example?

Richard Deeming 31-Aug-18 12:06pm

Multiple Plans - Brent Ozar Unlimited®[^]

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Emmerel · Answer 1 · 2018-09-14T08:02:00

Aside from the obvious security vulnerabilities in your code, in your loop just create a string of all users, separated by a comma (e.g. "'BILL', 'JANE', 'TOM'"). Then run your query but change "where ID=" to "where ID IN (" + your Id's + ")". This way the query runs only once.

But again, and as others have said, you're opening yourself up to a SQL Injection attack.