FiveM Security Guide — Closes often overlooked vulnerabilities

Security is something developers often overlook when rushing to develop. But a single vulnerability can destroy a server.

Vulnerability 1: Trust Client Input

-- Danger: client sends price = 1!
AddEventHandler('shop:buy', function(itemName, price)
    local xPlayer = ESX.GetPlayerFromId(source)
    xPlayer.removeMoney(price)
    xPlayer.addInventoryItem(itemName, 1)
end)

-- Correct: Server pulls prices from Config itself.
AddEventHandler('shop:buy', function(itemName)
    local xPlayer = ESX.GetPlayerFromId(source)
    local item = Config.ShopItems[itemName]
    if not item then return end
    
    if xPlayer.getMoney() < item.price then return end
    
    xPlayer.removeMoney(item.price)
    xPlayer.addInventoryItem(itemName, 1)
end)

Vulnerability 2: Hardcoded Webhooks in Client

-- Danger: in client.lua
local webhook = "https://discord.com/api/webhooks/123/abc"

-- correct: in server.lua only
local webhook = GetConvar("discord_webhook", "")

Vulnerability 3: No Cooldown

local cooldowns = {}

AddEventHandler('myScript:claimBonus', function()
    local src = source
    if cooldowns[src] and (GetGameTimer() - cooldowns[src]) < 60000 then
        return -- cooldown not yet complete
    end
    cooldowns[src] = GetGameTimer()
    -- give rewards
end)

Vulnerability 4: SQL Injection

-- Danger:
local query = "SELECT * FROM users WHERE name = '" .. playerName .. "'"

-- Correct:
MySQL.Async.fetchAll('SELECT * FROM users WHERE name = @name', {
    ['@name'] = playerName
}, callback)

Security Checklist

• Server validates every input from Client.
• Prices are in Server Config only.
• Webhooks are on server-side only.
• Every event has permission check.
• Always use parameterized queries.
• There is rate limiting on sensitive events.

Summary

Good security is a habit that must be established from the beginning, checking every input and validating everything on the server side.