Crxative-MAcademy

Security: write resources without holes · Lesson 3/3 · 6 min

Checklist before publishing or installing

A quick list so you don't get nasty surprises, whether you're uploading a resource or installing someone else's.

Before INSTALLING something from outside

  • Run it through the Security Audit (backdoors, miners, exfiltration).
  • Search for os.execute, load(, Discord webhooks and http to weird IPs.
  • Be wary of heavily obfuscated code: if you can't read it, you don't know what it does.
  • Test it first on a test server, never straight in production.

Before PUBLISHING your own

  • All sensitive logic is on the server and validated.
  • Parameterized queries (?), no SQL concatenation.
  • No hardcoded secrets (they go in secrets.cfg via GetConvar).
  • Anti-spam on the events that give money/items.
  • config.lua for what's configurable; no loose magic values.

Security isn't paranoia: it's respect for the server owners who trust your resource and for the players. A secure resource is a resource people recommend.

Practice what you learned

0/3
Test

Antes de PUBLICAR tu recurso, ¿qué NO debe quedar en el código?

Pista

Lo que no quieres que se filtre en un leak de tu recurso.

Corrige el error

Esta consulta concatena datos del jugador (inyección SQL). Conviértela en parametrizada.

Este código tiene un fallo:

1local nombre = obtenerNombreDelCliente()
2MySQL.query('SELECT * FROM users WHERE name = "' .. nombre .. '"')

Reescríbelo corregido:

Pista

MySQL.query('SELECT * FROM users WHERE name = ?', { nombre }).

Rellena los huecos

Completa: lee la API key desde un convar (secrets.cfg) en vez de hardcodearla.

1-- en secrets.cfg: set discord_token "tu_token"
2local token = ('discord_token', '')
3if token == '' then print('Falta configurar el token') end
Pista

La función nativa de FiveM para leer convars.

Challenge: code it yourself

Review one of your resources with this checklist and fix the weakest point you find.

Write it yourself in your editor (VS Code) and test it on your server. You learn here by doing it, not by copying.

See hint

Start with the most critical: is there money/item logic decided on the client?

Escribe aquí tu solución:

Server-side hardening and anti-spamEnd of the module, back to the Academy
How was this lesson?