HI DEVS,
what is loadstring? i just saw this thing i didnt even know it existed so wut is it
sorry if i didnt research enough
5 Likes
It creates a function of interpreted lua code from a string
local test = loadstring("print('Hello world!')")
test() --> Hello world!
1 Like
whats the point of it then???
also i think they do this with load string
local test = loadstring("print('Hello world!')")()-- addin another pair of `()`There isnt too much use for it, but it could be used for per se an admin command which allows the user to run code from a string, or perhaps a math interpreter which allows you to do math from a string
Imagine you have like a calculator and you can input “5+5*3”
Theres really no easy way to interpret that without a ton of fancy string manipulatuion, however you could just do
local mathStuff = "5+5*3"
local resultOfMath = loadstring("return "..mathStuff)()
Its definitely a more weird feature but definitely has its uses
21 Likes
cant you do hacking with that stuff
1 Like
If you werent being smart about it
Roblox doesnt allow loadstring on the client and theres easier ways to do that anyways, the only concern that could happen with loadstring is if you let the client tell the server what to put in the loadstring in which case they could run code on the server for everyone
3 Likes
thx for the help i will keep this in the back of my mind
Loadstring is used mainly by some scripts and by the majority of exploiting scripts.
It runs the string given inside it’s brackets as code, for example:
local Code = "print('I love loadstrings!')"
loadstring(Code)
This will print I love loadstrings, in the console.
However, roblox noticed exploits were using this, and disabled the loadstring function.
Most exploits still use this and have even more features than roblox’s modified lua version, like getnilinstances, that will find anything under the parent nil!
While this topic is going on, I wanted to ask, why has roblox disabled loadstring, when there is literally a module that enables developers to do this? It’s just as easy as using loadstring just with the extra added effort, also not everyone knows about this module.
so loadstring is disabled is there a way i can enable it?
There is a way yes, a few actually.
Method 1: Non-Modular, server only
- This will only work on the server, and not the client
- Simply enable the property under ServerScriptService, it’ll be called loadstringenabled or something.
Method 2: Modular, client and server.
- This is useable on the client and server!
- A tad bit more compelx
- The module, explains on how to use it
- Super simple once you get your head around it, theres even an example in the module!
Module: vLua 5.1 (improved VM) - Roblox
5 Likes
loadstring in its heyday presented a bevy security issues, especially back before the implementation of the client-server division. Disabling the feature by default is more to protect developers who don’t know about it or how to protect themselves from it, especially due to its prevalence in malicious code that those developers may not understand or even know how to detect.
It in and of itself is not a bad thing, and using it with bytecode strings was once a reasonable way to obfuscate one’s code when the lack of a client-server division meant that a bad actor could steal an entire game, not just the client code. Of course, something like that would never work nowadays because more people know how to do more with Lua than they did in ROBLOX’s infancy, but loadstring had its uses–just too many of them were bad.
3 Likes
Thanks for the clearup! I appreciate it.
1 Like
Be careful, load string is used by exploiters.
1 Like
yeah ik studio told me when i was enabling the property