Ok so basicly i am running net values on my server and client side.... a user can do this in console
lua_run_cl for k, v in pairs( player.GetAll() ) do net.Start( "BlahBlah" ) net.WriteEntity( v ) net.WriteString( "Blah" ) net.SendToSever() end
And it will run the net.Receive( "BlahBlah" ) function or whatever... So how can i stop that from happening.. (allowing users to run this command)
NOTE: I want this to be only ran when a button is clicked on a derma!
Thanks, XxLMM13xXgaming
[B][U]NOW SOLVED!!!![/U][/B]
sv_allowcslua 0
and get an anticheat
You shouldn't be trusting the client and it sounds like you are, without seeing the code however its going to be hard to help you.
[QUOTE=liqob;48570152]sv_allowcslua 0
and get an anticheat[/QUOTE]
Well im going to be releasing this addon so i want to avoid the need of a anti cheat... ill see about the sv_allowcslua
[QUOTE=King Penisless;48570160]You shouldn't be trusting the client and it sounds like you are, without seeing the code however its going to be hard to help you.[/QUOTE]
Im going to try something else and then i will send a snip of the code to see if you can help!
You're not using net.WriteEntity(LocalPlayer()) are you? Why aren't you using the ply argument in the net.Receive function server side?
[QUOTE=LegoGuy;48581561]You're not using net.WriteEntity(LocalPlayer()) are you? Why aren't you using the ply argument in the net.Receive function server side?[/QUOTE]
Well i am but even if i did not im pretty sure this can be exploitable... Anyone can still do the for loop to get all players and do what ever they want... But i will stop the LocalPlayer() because yes i am doing this...
[QUOTE=XxLMM13xXx;48581603]Well i am but even if i did not im pretty sure this can be exploitable... Anyone can still do the for loop to get all players and do what ever they want... But i will stop the LocalPlayer() because yes i am doing this...[/QUOTE]
Not to be mean or anything, but net.WriteEntity(LocalPlayer()) is the [I]absolute worst[/I] thing ever in network security.
If you use the ply argument serverside, the server knows who sent that message, therefore, no one can do harm to any other user.
There's no way to completely stop the client from being bad, it's bound to happen. You're going to have to make sure that everything is in check yourself. Hey, besides, it makes you practice good security habits.
Remember the huge bug heartbleed? It was caused by trusting values sent from the client too much. Not unlike what you're doing.
so,
CLIENTSIDE:
[lua]
net.Start("MyAwesomeMsg")
net.WriteString("Hardihar")
net.SendToServer()
[/lua]
SERVERSIDE:
[lua]
net.Recieve("MyAwesomeMsg",function(len,ply)
local str = net.ReadString()
MsgN("The player who sent the message was "..ply:SteamID().." with message "..str)
end)
[/lua]
Again, never trust the client, never trust the client, and always make sure to never trust the client.
[editline]31st August 2015[/editline]
If you don't want them to send the message a billion times a second, check that on the server. If they are, ban them.
Maybe what you're doing shouldn't be done on the client at all and instead be handled by the server. This is something you should really consider.
[QUOTE=XxLMM13xXx;48581603]Well i am but even if i did not im pretty sure this can be exploitable... Anyone can still do the for loop to get all players and do what ever they want... But i will stop the LocalPlayer() because yes i am doing this...[/QUOTE]
Using the sender argument in net.Recieve will always be the same sender, regardless of whether this sender looped through all players, as it is still that [I]same sender sending the messages[/I]. Even net.WriteEntity( v ) will do absolutely nothing if the server doesn't read it and instead uses the sender argument.
Ya i got this fixed for the most part... thanks to everyone!
Sorry, you need to Log In to post a reply to this thread.
