When to use SendLua vs net messages?

So there has been a few times where for example i were gonna show something in chat server sided and i would have to write a net message to the client and do the chat.AddText(). But would it be more efficient to do it in 1 line and just do ply:SendLua(“chat.AddText()”)?

If any of the data being sent is user-defined, then I would use net messages to prevent lua injection into the string. I’ve personally never used SendLua and I know a few people who would recommend against it.

SendLua has a limit of 256 ( or so ) characters, net messages have a limit of 64KB ( 64 * 1024 characters ) ( 1024 chars per one WriteString ). You do the math which is better.

You could always just make your own SendLua using the net library. It’s as simple as net.WriteString, net.ReadString, RunString. You could then use that function in everything you need.

Ok, so new question which is more efficient if we’re using the normal sendlua vs a net message?

If I remember correctly, RunString uses usermessages, hence the limit.
Once again, if I remember correctly, while usermessages are depreciated they are faster than net messages.
So I guess it’s up to you; how long do you expect your strings to be?

Sendlua is an anti-pattern, and a major security risk and should never actually be used in production.

What is an anti-pattern?

Google “programming anti-pattern”:

Well for things like chat.AddText() there’s a limit in chat which i assume would be somewhere around 128 characters, it would be fine to use SendLua rather than a net message. But for something larger like a long list of players or some kind of data its best to stick to net messages. Correct?

The client can create a list of players using a for loop and player.GetAll().

Personally, I use a net message for chat.AddText() because it means cleaner code.

Just make a small function for chat.AddText(), it’s what most people do.

For example I just use a meta for it

ply:CCHatPrint(tablecontent)

Yeah i was just using that as the first examples that came to mind.

Never ever use SendLua unless you actually need to run some piece of lua code on clients that is different each time. SendLua simply opens you up to security risks if someone injects code into it.

Make your steam name



") while {} do end print("


And see what happens on a server using SendLua for chat (or anything that sends your name really).
I only provide this because honestly anyone who uses SendLua like this diserves to learn the hard way.

Someone posted this before:

[lua]
if SERVER then
local PLAYER = FindMetaTable(“Player”)
util.AddNetworkString( “ColoredMessage” )

function BroadcastMsg(...)
	local args = {...}
	net.Start("ColoredMessage")
	net.WriteTable(args)
	net.Broadcast()
end

function PLAYER:PlayerMsg(...)
	local args = {...}
	net.Start("ColoredMessage")
	net.WriteTable(args)
	net.Send(self)
end

elseif CLIENT then
net.Receive(“ColoredMessage”,function(len)
local msg = net.ReadTable()
chat.AddText(unpack(msg))
chat.PlaySound()
end)
end
[/lua]

Goes in a shared file, then you can use ply:PlayerMsg() and BroadcastMsg() the same way as chat.AddText()

Yeah, I posted this in a thread a while back. It’s actually taken straight out of my admin mod. Perhaps this should be put on the wiki as an example of how to do a serverside chat.AddText() function.

It’s pretty damn useful!
Been using it everywhere :slight_smile:

Out of laziness and without any user input, it isn’t that much of a security risk, right?

Simply sending static strings isn’t going to be a security risk when using SendLua, but it should not be used over net messages. The Lua string is going to need to be parsed which is just additional overhead.

As a rule of thumb, avoid using SendLua for anything being sent to the server (or between clients too if you relay it through the server) when the client can influence the data in big ways. If your code ensures that the data can only be modified in certain ways (incrementing a number, using a combo box for input, etc.) you can probably get away with it as the data should be safe. But if it lets the user input their own strings of data (names, text, and so on). It becomes dangerous unless you sanitise it or limit it.

Use the net library for data transfer unless you have 100% control over what will be transferred. Don’t worry about optimisation to this extent, you won’t see massive gains.