I own a product SmartOrders. Its a cafe ordering system, that gets distributed to the public via licensing.
I was wondering, what are the risks of Loadstring Enabled? As it would be nice to just hold the code on an external server, instead of running it on Roblox servers.
Please don’t tell me just the exploits associated with it, I need to know cons and pros.
loadstring alone isn’t inherently dangerous, but the “dangers” of it are hyped for some reason. It is mostly dangerous when you have a remote that allows for clients to send strings and run that string as code. The idea of running arbitrary code is dangerous.
But for your case it should really be fine.
If you are just grabbing it from some website via a GET request someone can just see the website the game makes a request to.
The main concerns are trying to sandbox code. If you want to include a string from the client, say like this:
loadstring('print("' .. varFromClient ..'")')
… it’s easy to break out of the “sandbox” with a string like ' " workspace.whatever:Destroy() " '. If you entirely trust your source, there’s no big security flaws, but it’s rarely necessary to use loadstring.