Restricting Console Commands

Right now, i use console commands to communicate between client and server. After realising that I can now just run these at any time i have been trying to restrict them or put some check on them so they can only be ran by the script and not someone typing the command into the console. So far i have had no luck so i tried searching for similar problems and couldn’t find an answer. If you know a solution ill be happy to hear it. Thanks.

You can’t. You can use ~ in the console command name but that’s only a trivial stopper.

You should always be checking variables serverside to make sure they are legit.

It shouldn’t matter if they enter the command manually or the script does.

In the function called by your console command, make a check on player before executing it.

function Test( player, command, arguments )
    if !player:IsSuperAdmin() then return end
    // Rest of the code here
concommand.Add( "testcommand", Test)

I hope I didn’t misunderstand you. O.o

edit : I actually have. Nvm. You’ll probably have to use another way for these commands the player shouldn’t run.

another edit : Potentially or

I don’t know what I’m talking about. :slight_smile:

Different countries use different keys for the tilde. For example, mine is `, and located on the left of the 1 key. My ~ key is above shift, and does not activate the console.

This may be a completely retarded idea, but you could send a random 6 digit number to the clients when they initially join, then send that as an argument in every console command ran on the client, on the server check if this number is equal to the number you sent them, if so, allow the command to run, if not then don’t run the command. (I hope I explained that well enough).

This may be a completely retarded comment, but if the 6 digit code is communicated to the client, what’s stopping them from reading the code and figure out a way to retrieve it? (Assuming no script enforcing) It just sounds too hacky.

You could encode it some way shape or form. I believe there is a way to CRC hash a string. It might not be possible to easilly decode it, so GLON might be more usefull

But surely instead of setting all of that up there’s a simpler way for the client to send the server Data. Isn’t that what Datastream is (partly) for? (Not saying you should use it for everything, there’s been enough Datastream flaming)

You can use the datastream to send data to the server, although it is just as exploitable.

Instead of restricting console commands, you should just validate the information sent, since there will always be a way to exploit it. You can make it hard, but not impossible.

the datastream will put off all casual exploiters, but you should never be trusting the client to only send messages when it should. Do ALL checks serverside and always assume all user input is malicious.
Welcome to the wonderful world of Computer Security.


What the hell did I write?

If you want to block a command entirely, try something like this on the client:


Or if you want to check who can use a concommand, try something like this:

function MyCommand(pl,cmd,args)
        if pl:IsAdmin() then
                -- Do stuff

Could you tell us what you’re trying to send to the server Shifty50?

Would people please stop using that method to block commands. Do you know how annoying it is?

Not as annoying as CreateConVar(“mycommand”,“BLOCKED”,true,false)? :wink:

or… concommand.Remove( “hello” );

A) You could re-add the command
B) You can’t ‘concommand.Remove’ commands not added in Lua.