Common Security Risks

Understand and prevent common security vulnerabilities.

Event Injection

Risk

Clients can trigger server events with malicious data.

Prevention


RegisterNetEvent('myresource:purchase')
AddEventHandler('myresource:purchase', function(itemId)
    local source = source
    
    -- Validate input
    if type(itemId) ~= 'number' then return end
    if itemId < 1 or itemId > 1000 then return end
    
    -- Process purchase
end)

Eval Injection

Risk

Using load() or eval() with user input.

Prevention

Never use eval with user input:


-- BAD
load(userInput)()
 
-- GOOD
-- Use whitelisted functions only

SQL Injection

Risk

Unsanitized SQL queries.

Prevention

Use prepared statements:


-- BAD
MySQL.query('SELECT * FROM users WHERE id = ' .. userId)
 
-- GOOD
MySQL.query('SELECT * FROM users WHERE id = ?', {userId})

Best Practices

Validate all input
Use prepared statements
Sanitize user data
Limit permissions
Regular security audits