modernize code examples

Author: gewarren

docs/fundamentals/code-analysis/quality-rules/ca1816.md

@@ -36,7 +36,7 @@ Violations of this rule can be caused by:
 
 ## Rule description
 
-The <xref:System.IDisposable.Dispose%2A?displayProperty=nameWithType> method lets users release resources at any time before the object becoming available for garbage collection. If the <xref:System.IDisposable.Dispose%2A?displayProperty=nameWithType> method is called, it frees resources of the object. This makes finalization unnecessary. <xref:System.IDisposable.Dispose%2A?displayProperty=nameWithType> should call <xref:System.GC.SuppressFinalize%2A?displayProperty=nameWithType> so the garbage collector doesn't call the finalizer of the object.
+The <xref:System.IDisposable.Dispose%2A?displayProperty=nameWithType> method lets users release resources at any time before the object becomes available for garbage collection. If the <xref:System.IDisposable.Dispose%2A?displayProperty=nameWithType> method is called, it frees resources of the object. This makes finalization unnecessary. <xref:System.IDisposable.Dispose%2A?displayProperty=nameWithType> should call <xref:System.GC.SuppressFinalize%2A?displayProperty=nameWithType> so the garbage collector doesn't call the finalizer of the object.
 
 To prevent derived types with finalizers from having to reimplement <xref:System.IDisposable> and to call it, unsealed types without finalizers should still call <xref:System.GC.SuppressFinalize%2A?displayProperty=nameWithType>.
 

docs/fundamentals/code-analysis/quality-rules/ca2100.md

@@ -1,7 +1,7 @@
 ---
 title: "CA2100: Review SQL queries for security vulnerabilities (code analysis)"
 description: "Learn about code analysis rule CA2100: Review SQL queries for security vulnerabilities"
-ms.date: 11/04/2016
+ms.date: 09/24/2025
 f1_keywords:
 - Review SQL queries for security vulnerabilities
 - ReviewSqlQueriesForSecurityVulnerabilities
@@ -37,7 +37,7 @@ This rule assumes that any string whose value can't be determined at compile tim
 - Use a parameterized command string.
 - Validate the user input for both type and content before you build the command string.
 
-The following .NET types implement the <xref:System.Data.IDbCommand.CommandText%2A> property or provide constructors that set the property by using a string argument.
+The following .NET types implement the <xref:System.Data.IDbCommand.CommandText%2A> property or provide constructors that set the property by using a string argument:
 
 - <xref:System.Data.Odbc.OdbcCommand?displayProperty=fullName> and <xref:System.Data.Odbc.OdbcDataAdapter?displayProperty=fullName>
 - <xref:System.Data.OleDb.OleDbCommand?displayProperty=fullName> and <xref:System.Data.OleDb.OleDbDataAdapter?displayProperty=fullName>
@@ -64,7 +64,7 @@ To fix a violation of this rule, use a parameterized query.
 
 ## When to suppress warnings
 
-It is safe to suppress a warning from this rule if the command text does not contain any user input.
+It's safe to suppress a warning from this rule if the command text does not contain any user input.
 
 ## Suppress a warning
 

docs/fundamentals/code-analysis/quality-rules/snippets/csharp/all-rules/.editorconfig

@@ -17,3 +17,6 @@ dotnet_diagnostic.CA1822.severity = none
 
 # CA2200: Rethrow to preserve stack details
 dotnet_diagnostic.CA2200.severity = suggestion
+
+# CA2100
+dotnet_diagnostic.CA2100.severity = warning

docs/fundamentals/code-analysis/quality-rules/snippets/csharp/all-rules/ca1806.cs

@@ -7,11 +7,8 @@ public class Book
 
         public Book(string title)
         {
-            if (title != null)
-            {
-                // Violates this rule
-                title.Trim();
-            }
+            // Violates this rule
+            title?.Trim();
 
             _Title = title;
         }

docs/fundamentals/code-analysis/quality-rules/snippets/csharp/all-rules/ca1816.cs

@@ -1,12 +1,12 @@
 using System;
-using System.Data.SqlClient;
+using System.IO;
 
 namespace ca1816
 {
     //<snippet1>
-    public class DatabaseConnector : IDisposable
+    public class MyStreamClass : IDisposable
     {
-        private SqlConnection? _Connection = new SqlConnection();
+        private MemoryStream? _stream = new();
 
         public void Dispose()
         {
@@ -18,11 +18,8 @@ protected virtual void Dispose(bool disposing)
         {
             if (disposing)
             {
-                if (_Connection != null)
-                {
-                    _Connection.Dispose();
-                    _Connection = null;
-                }
+                _stream?.Dispose();
+                _stream = null;
             }
         }
     }
@@ -32,9 +29,9 @@ protected virtual void Dispose(bool disposing)
 namespace ca1816_2
 {
     //<snippet2>
-    public class DatabaseConnector : IDisposable
+    public class MyStreamClass : IDisposable
     {
-        private SqlConnection? _Connection = new SqlConnection();
+        private MemoryStream? _stream = new();
 
         public void Dispose()
         {
@@ -46,11 +43,8 @@ protected virtual void Dispose(bool disposing)
         {
             if (disposing)
             {
-                if (_Connection != null)
-                {
-                    _Connection.Dispose();
-                    _Connection = null;
-                }
+                _stream?.Dispose();
+                _stream = null;
             }
         }
     }

docs/fundamentals/code-analysis/quality-rules/snippets/csharp/all-rules/ca2100.cs

@@ -1,16 +1,16 @@
 using System.Data;
-using System.Data.SqlClient;
+using System.Data.OleDb;
 
 namespace ca2100
 {
     //<snippet1>
-    public class SqlQueries
+    public class OleDbQueries
     {
         public object UnsafeQuery(
            string connection, string name, string password)
         {
-            SqlConnection someConnection = new SqlConnection(connection);
-            SqlCommand someCommand = new SqlCommand();
+            using OleDbConnection someConnection = new(connection);
+            using OleDbCommand someCommand = new();
             someCommand.Connection = someConnection;
 
             someCommand.CommandText = "SELECT AccountNumber FROM Users " +
@@ -26,14 +26,14 @@ public object UnsafeQuery(
         public object SaferQuery(
            string connection, string name, string password)
         {
-            SqlConnection someConnection = new SqlConnection(connection);
-            SqlCommand someCommand = new SqlCommand();
+            using OleDbConnection someConnection = new(connection);
+            using OleDbCommand someCommand = new();
             someCommand.Connection = someConnection;
 
             someCommand.Parameters.Add(
-               "@username", SqlDbType.NChar).Value = name;
+               "@username", OleDbDbType.NChar).Value = name;
             someCommand.Parameters.Add(
-               "@password", SqlDbType.NChar).Value = password;
+               "@password", OleDbDbType.NChar).Value = password;
             someCommand.CommandText = "SELECT AccountNumber FROM Users " +
                "WHERE Username=@username AND Password=@password";
 
@@ -48,7 +48,7 @@ class MaliciousCode
     {
         static void Main2100(string[] args)
         {
-            SqlQueries queries = new SqlQueries();
+            OleDbQueries queries = new OleDbQueries();
             queries.UnsafeQuery(args[0], "' OR 1=1 --", "[PLACEHOLDER]");
             // Resultant query (which is always true):
             // SELECT AccountNumber FROM Users WHERE Username='' OR 1=1

docs/fundamentals/code-analysis/quality-rules/snippets/vb/all-rules/.editorconfig

@@ -2,3 +2,4 @@
 dotnet_diagnostic.CA1420.severity = suggestion
 dotnet_diagnostic.CA1422.severity = suggestion
 dotnet_diagnostic.CA2200.severity = suggestion
+dotnet_diagnostic.CA2100.severity = warning

docs/fundamentals/code-analysis/quality-rules/snippets/vb/all-rules/ca1816-call-gc-suppressfinalize-correctly_1.vb

@@ -1,25 +1,24 @@
-Imports System
-Imports System.Data.SqlClient
+Imports System.IO
 
 Namespace ca1816
 
     '<snippet1>
-    Public Class DatabaseConnector
+    Public Class MyStreamClass
         Implements IDisposable
 
-        Private _Connection As New SqlConnection
+        Private _stream As New MemoryStream
 
         Public Sub Dispose() Implements IDisposable.Dispose
             Dispose(True)
-            ' Violates rules
+            ' Violates rule.
             GC.SuppressFinalize(True)
         End Sub
 
         Protected Overridable Sub Dispose(ByVal disposing As Boolean)
             If disposing Then
-                If _Connection IsNot Nothing Then
-                    _Connection.Dispose()
-                    _Connection = Nothing
+                If _stream IsNot Nothing Then
+                    _stream.Dispose()
+                    _stream = Nothing
                 End If
             End If
         End Sub
@@ -31,10 +30,10 @@ End Namespace
 
 Namespace ca1816_2
     '<snippet2>
-    Public Class DatabaseConnector
+    Public Class MyStreamClass
         Implements IDisposable
 
-        Private _Connection As New SqlConnection
+        Private _stream As New MemoryStream
 
         Public Sub Dispose() Implements IDisposable.Dispose
             Dispose(True)
@@ -43,9 +42,9 @@ Namespace ca1816_2
 
         Protected Overridable Sub Dispose(ByVal disposing As Boolean)
             If disposing Then
-                If _Connection IsNot Nothing Then
-                    _Connection.Dispose()
-                    _Connection = Nothing
+                If _stream IsNot Nothing Then
+                    _stream.Dispose()
+                    _stream = Nothing
                 End If
             End If
         End Sub

docs/fundamentals/code-analysis/quality-rules/snippets/vb/all-rules/ca2100-review-sql-queries-for-security-vulnerabilities_1.vb

@@ -1,20 +1,21 @@
-Imports System
-Imports System.Data
-Imports System.Data.SqlClient
+Imports System.Data
+Imports System.Data.OleDb
+Imports System.Runtime.Versioning
 
 Namespace ca2100
 
     Public Class SqlQueries
 
+        <SupportedOSPlatform("windows")>
         Function UnsafeQuery(connection As String,
          name As String, password As String) As Object
 
-            Dim someConnection As New SqlConnection(connection)
-            Dim someCommand As New SqlCommand()
-            someCommand.Connection = someConnection
-
-            someCommand.CommandText = "SELECT AccountNumber FROM Users " &
-            "WHERE Username='" & name & "' AND Password='" & password & "'"
+            Dim someConnection As New OleDbConnection(connection)
+            Dim someCommand As New OleDbCommand With {
+                .Connection = someConnection,
+                .CommandText = "SELECT AccountNumber FROM Users " &
+                "WHERE Username='" & name & "' AND Password='" & password & "'"
+            }
 
             someConnection.Open()
             Dim accountNumber As Object = someCommand.ExecuteScalar()
@@ -23,16 +24,18 @@ Namespace ca2100
 
         End Function
 
+        <SupportedOSPlatform("windows")>
         Function SaferQuery(connection As String,
          name As String, password As String) As Object
 
-            Dim someConnection As New SqlConnection(connection)
-            Dim someCommand As New SqlCommand()
-            someCommand.Connection = someConnection
+            Dim someConnection As New OleDbConnection(connection)
+            Dim someCommand As New OleDbCommand With {
+                .Connection = someConnection
+            }
 
-            someCommand.Parameters.Add(
+            someCommand.Parameters.AddWithValue(
             "@username", SqlDbType.NChar).Value = name
-            someCommand.Parameters.Add(
+            someCommand.Parameters.AddWithValue(
             "@password", SqlDbType.NChar).Value = password
             someCommand.CommandText = "SELECT AccountNumber FROM Users " &
             "WHERE Username=@username AND Password=@password"
@@ -48,6 +51,7 @@ Namespace ca2100
 
     Class MaliciousCode
 
+        <SupportedOSPlatform("windows")>
         Shared Sub Main2100(args As String())
 
             Dim queries As New SqlQueries()