Best way to go about making an exploiter proof spell system without using tools? (best practice question)


I am working on a spell system which would have anywhere from 20 to 40 spells, but the player would only be able to choose 5 at a time, much like elemental battlegrounds, i don’t want to use tools because since there will be no handle anyway i am thinking it will be more performance friendly with no tools.

So my question is, how would i give access to players to cast a spell with a hotkey that i could then take away if they choose different spells? Should i avoid using local scripts?

Thank you for your time

It’s best to use UserInputService or ContextActionService, do note that UserInputServices can only be scripted via Local Scripts, so no you shouldn’t avoid Local Scripts. You should use Remote Events so you can fire them via local scripts when a certain hotkey is pressed, and a Server Script handles the magic and spell when the Remote Event is fired. Terribly sorry if you can’t understand me, but this is the best I can explain. :smiley:

As I like to tell everyone, pretend everything is untampered on the client, then add extra security checks on the server. The only ones who will have a bad visual experience are the ones tampering with the spell cooldowns.

i see, that is what i am currently doing. My real question is; say i had 1 serverscript containing all events and spells, how would i have the players cast only a select few of them.

here is my idea. Have a single local script containing all the spells and use boolvalues in a folder that is injected in the players.playerName upon entering the game, and as they select spells i have it so that if they try to fire any spell it first checks if the bool value is true before firing event. is this a good idea or?

I’d clone everything from a folder inside server storage only when the player equips the spells, that way exploiters would have to unlock the spells if they were to try downloading your local scripts. You could have all the events, server scripts, and local scripts in a folder named “One”, “Two”, etc. and dump the folder in their PlayerScripts or Character when they equip the spell. When they press a spell’s designated key it would activate that spell.

hmm, but seeing as a value would have to be true before it will fire and they can’t change values inside players.PlayerName i thought that would make it anti exploiatable even if theyhave the local script, because the same check would be preformed serverside? or am I missing something?

Oh that first bit I mentioned was just a preference thing. If you hold all your spells in ReplicatedStorage, an exploiter could steal your client code and assets for every spell, which is why I usually keep a lot of things in ServerStorage until the client actually needs them (since it’s impossible to access ServerStorage from a LocalScript)

I meant to have the script in server script service. I already have a radial menu gui that is a local script that just tells the server script inside server script service what spell was selected and the serverside script does the rest, is this bad practice?

I don’t see anything that makes it bad , Just make sure you do not make any critical checks in the Local Script . If you are using UIS for the Spells , you can just trigger it and send a RemoteEvent with Some Values like the Key you chose and you can make a Module Script Containing all your Spells and their functions and then just call it.

great, that’s what i had in mind, i’ll give it a try, thank you guys for the advice

1 Like