I wanted to add a way for players in private servers to add their own creations into the game via them inputting scripts that I would execute using loadstring, but it would cause some issues if the player used datastores or badges to modify their progress in public servers.
At first I thought I could just use string.find to check if the input mentions :GetDataStore or :AwardBadge, but if the player obfuscates their code I wont be able to do that.
Is it even possible to check for or prevent accessing certain functions in obfuscated code? If so, how would I do it?
You likely won’t be able to prevent abuse. You could try locking down your in-game data by using HttpService and having some external database, but that could still be susceptible to abuse if you allow server side code execution.
I also wouldn’t recommend this because players could inject inappropriate or malicious code into your game, and you would still be liable as the creator. (i.e you could end up banned)