Are inappropiate strings in datastores a risk for my game?

I’m writing an FPS attachment system that saves its own configurations based on a JSON string, something like this but JSON-converted whenever it’s being saved:

Problem is, the client can currently save whatever they want to, which is currently just stopped by the attachment system being type-secure (A receiver has chosen mounting points, with chosen mount classes, which means an incorrect class or an out-for-range lerp will either error or be ignored)

This is fine, at least right now, however, let’s say a little funny child tells the server to save this:

The gun will still compile, as it ignores anything it doesn’t specifically SEARCH for, and no one will see it actually inside the string, however i’d like to know:

Is this gonna result in moderation?

Do you plan on showing this string to other players? Any input from a player that will be shown is supposed to be filtered.

As i mentioned in the thread, the client can save anything they want to the datastore, however it is not going to be shown; these are just gun compilation instructions.

2nd thing, it is KINDA going to be shown in the demo, but only for your own properties;

If given child were to exploit, the swear-words would only be visible for him (at least at the moment), and after the game’s out of alpha, by basically no one.

Well, it would be their fault for putting a bad word.

If it’s not going to be shown to anyone except who inputted it you probably wouldn’t need to worry. But if you want to be 100% safe, what you can do is send the string to the server for it to be filtered. If it gets filtered then tell the client to choose another name, that is appropriate


yeah, i can’t filter literal compilation instructions. The raw, original settings have no keyboard input-based things aside from what is mounted on the gun, meaning a real player that didn’t decide to dump 20$ on an exploit wouldn’t be able to save any swear-words there.

aside, Thanks for the answer!

1 Like

If you know what valid instructions are, can’t you just prevent them from being added at all in the first place? Do clients directly input JSON?

If you’re printing this string to the local console unfiltered you may be at risk.

1 Like

I wrote a validator, it’s just a hassle to keep the correct instructions updated (and it didn’t work very well because it was written at 3am). I wanted to know whether i could get rid of it.

You should define your valid instructions in a module script table that maps symbol to instruction string. Then just reference the symbols out of the table in your validator code. Then you’re always forced to define the symbol before you use it, and the list stays up to date.

local map = {InstructionSymbol = “InstructionName”}

You should avoid printing unfiltered user input pulled from datastore to the local console. This is functionally the same as putting it right into a GUI.

1 Like