Can exploiters get into their player model and change values?

Title says it all really.

I basically have an equip system for weapons, as a LocalScript. When you press 1 you equip your primary weapon, the LocalScript checks what your ‘PrimaryWeapon’ (stored inside the player) value is and basically gives you the gun. What I’m afraid of happening though is an exploiter could just go in and change that value to be whatever weapon they want. What ways would I do to get around this? Using RemoteEvents? If so, how would I check in the server to make sure that the client value matches with what the server says the players primary weapon is


You’re trying to fix a symptom of the problem, not the root cause. Your issue is created by the fact that the player has access to all of the weapons – remember, anything the client has access to can be exploited. If you store weapons on the client, even without using your equipping system, they can equip those weapons manually.

As a solution, you want to get all of those weapons on the server and out of the client’s reach. When a player equips a weapon, they should be given only that weapon by the server. This means they’ll have no choice but to use the equipped weapon, and you don’t need to worry about them changing values on the client :wink:


But like if a player sets what weapon they have equipped it changes a value inside the player. How else can I get it so the server and client can see what the player has set as their weapon name

Store it under a value named like ‘EquippedWeaponDisplayName’ that makes it clear that it is cosmetic only and doesn’t affect the actual weapon that is equipped.

If you want it to have more functionality than displaying the name, there’s no need to care what the value is on the client. Any changes the client makes won’t be replicated to the server, as they don’t have ownership of they Player object. Your game should be scripted so that the equipped value on the client doesn’t change anything for the server and other players – so if the exploiter breaks things on their client, it’s their fault and not yours.

So if I have a value inside the player, and have the server handeling giving the player the items, changing their equipped item, etc. then they cant do anything? So even if they change that value on the clients end it wont work on the server?

Yep, you’re right.

1 Like

It doesnt matter, that is the process of Filtering Enabled. NOTHING from client goes to the server (other than physics data (if they are the object’s network owner) (which is why they can speedhack and etc), network data, and remotes). What you do on the client may allow them to do so however (such as adding a remote event that executes code from client or allowing people to specify item prices (should be server determined instead))