Best way of sanitizing damage input on server

I’ve been recently making a game that has as its major mechanic the back stab (meaning that melee weapons do critical damage when attacking from behind, like the Spy’s knife in Team Fortress 2), but I’m unsure on how to sanitize input from the players in order to avoid exploiting.

Right now, my system works as following:

  • The clients who can back stab evaluate on every heartbeat a series of mathematical operations: if all of those return true, a signal is sent to the server indicating that the client did a backstab;
  • The server then proceeds to evaluate the signal, doing only the essential of the above mathematical operations, albeit with a bigger threshold in order to compensate for eventual lag. If every operation checks, it kills the player and sends data to the player who died and the player who killed

However, I’m afraid that the threshold might be a little bit too large and that it can eventually be abused given enough time. What would be a better alternative to that?

As long as there isn’t a way to pass fake data to the server, then it’s fine. If it’s too difficult for an exploiter to do something interesting with your game, then they won’t do it.

1 Like

Seems like a decent solution, but ideally you’d want a backstab to go through the moment you click. If it were me I’d do all the animating of a backstab on the client which did it immediately (if they pass the clientside checks), then send the data to the server and do the serverside checks. If the server said everything is A-OK then just tell the client everything worked fine and it’s fine to continue and tell the other player they died. If the server finds some evil exploity business then tell the client to cancel whatever they’re doing and that the backstab didn’t actually go through. It’ll make the experience smoother for all non-exploiters (dont have to wait for the serverside check each time for feedback), and won’t become any more vulnerable to exploityness.

Obviously not a necessary change but it’ll make it feel much more responsive. The downside, of course, being it’ll be just slightly more of a pain to implement, but shouldn’t be too bad.

I don’t really have much to say about improving how you do the server sided checks, your method is probably how i’d approach it. There are probably other ways like have the server always calculate who is in a position in which they’re able to backstab someone else, then send the epoch time the client actually clicked to the server and on the server check if they were in a position to backstab at that time. A lot more intensive on both the memory side and calculations side and frankly just not worth it in my opinion.

1 Like