so in the end, would it be wise to remove the client to server remote events, or keep them?
im definitely worried about security now that it’s been brought up, so I’d like to implement a similar system for buying cash, buying items (removing cash and adding to inventory) in a secure manner.
The remote is fine, but simply leaving the remote out there to generate cash is vulnerable.
What I am saying is that I suggest you put a localscript in the GUI and check if the player purchased it, then ON the server using an OnServerEvent function, check if the player has the cash required, and if he did, subtract that cash from their current balance and give them the item.
I will try to give an example. If the client sends a value of 100 to the server event, then the server will take the 100 and add it to the player’s cash. This is dangerous because there is no way to verify if the player should make 100 or 10. The client should fire the server event, but the server must be the one to set the reward.
Side note—can exploiters invoke remote functions and events from the client?
As @awesomeotheraccount suggests, let the server handle all transactions; a good thing to remember is to never trust the client, especially with intimate data such as player stats. If player input is necessary, then make sure to make as much sanity checks as possible. For example. if I wanted to make a purchasing system, I might do something like this.
local itemsForSale = {
Item = 200;
Item2 = 400;
}
local purchaseEvent = your.RemoteEvent
purchaseEvent.OnServerEvent:Connect(function(plr, item) -- "item" is the Name of the stat, for example "Item"
local cost = itemsForSale[item]
if not cost then
return
end
local playerCash = plr:WaitForChild("PlayerData"):WaitForChild("Cash")
if playerCash.Value > cost then
playerCash.Value -= cost
-- equip the item here; you could turn this into an OnServerInvoke event and let the client know that the purchase was a success
end
end)
If you can do it client sided, then they can too.
In short, yes they can invoke the events. This is answered right above as @AbiZinho said,
If you can do it client sided, then they can too.
So this goes to show that whatever you can do to the client as the developer, (display guis, or all gui related things, or things that are client sided) can be changed, added or removed by an exploiter. I do not have a complete understanding or awareness of what exploiters are capable of, so please look into this further.
Sorry @AbiZinho if it seems I’m trying to take credit, I am hoping to only add more clarification if at all possible to help @WindingTheRopes understand what we’re talking about.