Why does roblox not let us execute client commands?

I don’t know but they just do, which is a good thing

The server is able to evaluate a string into bytecode, which LoadString also does.

So how would it work client no but server yes?

Because the client doesn’t have a compiler like mentioned by @wow13524

1 Like

Hello OP, let me explain for you why this won’t work.

Basically, you can change anything on your computer (like your Roblox.exe), and so you can load up hacks etc, so any checks dependent on your computer can be altered my exploiters, and so a bytecode compiler to run checks on the client are vulnerable to attack.

But as you noted, and it isn’t obvious how they prevent hackers, you can, if you’re the owner, run code on the server.

The way Roblox handles this is it determines if you’re the owner on the server. So Roblox can see you’ve logged in, and its the same connection as the one you’ve logged in on, so it must either be the owner’s account.

Any hacker can send malicious code to the server to run, however the server will see it didn’t come from an authorised account and not execute the code. The client can’t reliably perform the same checks (as I reasoned above), so its not safe to allow that to have a byte code compiler


The reason why a server side executor is secure is because roblox can receive the desired commands from the client then validate on the server if the person is authorised to execute that command, however on a client side console, since code is running on the client there is no way for roblox to have a. valid authorisation system on wether or not a user can run the commands since any server side checks can be bypassed, since, well. its being ran on the client.

So could this work for the server:

local Admins = {}

for i,v in pairs(Admins) do
if Player.UserId == v then
– execute command

Would this prevent exploiters from accessing the server or running code in the server?

Exploiters can’t execute code on the server unless you do something stupid like have a remote that allows arbitrary code to be run through loadstring

Okay, but if u have a custom console would what i said work?

Why do you want to make a custom console though?

I just want to challenge myself to make something, and show myself its not out of my reach.

I guess? But then that means you have to do exactly what I advised against.

You could have a whitelist (it being of the developers) although you’re reinventing the wheel just for the sake of reinventing the wheel

Yes that would stop exploiters who weren’t admins

Coulden’t a exploiter intercept the remote though?

Okay, Thank u for the information very helpful!

you would have checks on the server

So i would have to fire a remote whenever i run a command?

Roblox used to have this as a feature, allowing developers to execute client code. However, it was very easy for exploiters to bypass the check and execute code 100% certified as safe just like that. It was removed for a good reason, and I would suggest not adding it yourself.

There is literally no reason to execute code directly on the client (although having the console and a luavm inserted by the server is an option), you can just use a ‘debug menu’ to give client-sided options without potentially compromising security.