Hello there, so i recently heard the dangers of loadstring() and was quite frightened by it, so i made this post to say if i could execute lua without loadstring() from a textbox.
“In a script”- Other than that there is no other way to execute lua without a script, loadstring() or the commandline
Loadstring is actually not that dangerous. A lot of fear surrounds it as players think you can use loadstring on the client, yet it is only set to be able to be used on the server. So logically, you could fire the server to loadstring a script, or you could loadstring it on the server. It doesn’t matter how you want to do it, loadstring isn’t that dangerous and it’ll get your job done.
Besides, exploits have already developed their own loadstring to be used in the executor… Soo they don’t really need Roblox’s loadstring ( and loadstrings can only be done on the server in Roblox ).
Very helpful!, alright i will use it for my custom developer console!
Thank u!, i will use loadstring() if there is no way to do it then.
Um, this is possible without loadstring(), you can use this module: https://www.roblox.com/library/5041463280/Lua-VM, just put it in your game and do it something like this:
require(path to module)(TextBox.Text)()
Thanks for the reply!, about that i dont use free models i allways like creating my own stuff.
The dangers in
loadstring() is when you just allow anyone to use it. Just double check who is sending the remote event that contains the script.
Alright, i will do server sided checks.
Consider using a custom Lua VM, also known by others as an interpreter. You feed it Lua bytecode, and it runs the bytecode like it was normal code, basically emulating how loadstring works.
Consider using FiOne, a community favorite. The repository includes an example of how to use it, and it’s open-source, so if you’re worried about malicious code you can easily check through it.
Could i possibly create my own lua Virtual machine?
Sure, however it’s a difficult topic, so, good luck. You can take a quick read over the link I provided to get an idea of how it usually works.
That looks like just the bytecode interpreter. @ThoseNamesAreGood is probably asking about a complete VM. (It includes the FiOne interpreter as well.)
A virtual machine runs the instructions that it’s given, it doesn’t compile the code, that’s a compiler, a separate piece of software.
actually, loadstring is used by most exploiters and so far almost all of the roblox exploit videos i have watched uses loadstring which is likely the reason why it was even disabled on the client
People aren’t afraid of loadstring itself, but of the implications of its use. Loadstring can be used to take control of the server if anyone ever gets access to it, and it’s also not very good programming practice to execute arbitrary strings of code. Therefore all of your functionality should be outside any strings and in, say, a ModuleScript (which haven’t always existed, but they do now, so use them).
Plus, loadstring is slow as it has to recompile the string every time it is called.
Loadstring on the client was disabled because people were able to use it to take control of the client, which is exactly what exploiting is. They had to leave the Luau compiler in the client in order to support loadstring, so in order to remove the Luau compiler, they had to remove loadstring as well. Roblox left it enabled on the server because there are no known server-side exploits that can use it to execute privileged code.