how to stop a exploit

Ok so basicly i am running net values on my server and client side… a user can do this in console

lua_run_cl for k, v in pairs( player.GetAll() ) do net.Start( “BlahBlah” ) net.WriteEntity( v ) net.WriteString( “Blah” ) net.SendToSever() end

And it will run the net.Receive( “BlahBlah” ) function or whatever… So how can i stop that from happening… (allowing users to run this command)

NOTE: I want this to be only ran when a button is clicked on a derma!

Thanks, XxLMM13xXgaming


sv_allowcslua 0
and get an anticheat

You shouldn’t be trusting the client and it sounds like you are, without seeing the code however its going to be hard to help you.

Well im going to be releasing this addon so i want to avoid the need of a anti cheat… ill see about the sv_allowcslua

Im going to try something else and then i will send a snip of the code to see if you can help!

You’re not using net.WriteEntity(LocalPlayer()) are you? Why aren’t you using the ply argument in the net.Receive function server side?

Well i am but even if i did not im pretty sure this can be exploitable… Anyone can still do the for loop to get all players and do what ever they want… But i will stop the LocalPlayer() because yes i am doing this…

Not to be mean or anything, but net.WriteEntity(LocalPlayer()) is the absolute worst thing ever in network security.

If you use the ply argument serverside, the server knows who sent that message, therefore, no one can do harm to any other user.

There’s no way to completely stop the client from being bad, it’s bound to happen. You’re going to have to make sure that everything is in check yourself. Hey, besides, it makes you practice good security habits.

Remember the huge bug heartbleed? It was caused by trusting values sent from the client too much. Not unlike what you’re doing.

local str = net.ReadString()
MsgN("The player who sent the message was “…ply:SteamID()…” with message "…str)

Again, never trust the client, never trust the client, and always make sure to never trust the client.

[editline]31st August 2015[/editline]

If you don’t want them to send the message a billion times a second, check that on the server. If they are, ban them.
Maybe what you’re doing shouldn’t be done on the client at all and instead be handled by the server. This is something you should really consider.

Using the sender argument in net.Recieve will always be the same sender, regardless of whether this sender looped through all players, as it is still that same sender sending the messages. Even net.WriteEntity( v ) will do absolutely nothing if the server doesn’t read it and instead uses the sender argument.

Ya i got this fixed for the most part… thanks to everyone!