Exploiters and Inventory System Data Locations

I have an inventory system that currently requests information from server storage through remote events, and I am now starting to work on a storage system. For the storage GUI, it will give you a preview of your inventory and a view of all items in a storage container; however, there are two ways I could start approaching the process of grabbing the player’s inventory information. One could be sending information to the new GUI for “slots” (what the item visually takes up) and the data related to the item directly from the inventory handler script to the storage handler script. The other, which is why I’m typing out this post, involves injecting data into a folder that could be accessible from a local script (therefore, exploiters could preview the data too). Its location could be the player in the player list, a folder in the workspace/replicated storage, you name it.

That second method I talked about, having a file system that writes out every player’s inventory in a nice tidy folder, would be a much easier access point for local scripts, not just the storage script I’m planning to make (much easier for GUI’s and other data requiring that info). Except, I don’t know if there is a way exploiters could abuse this and/or if this is bad practice to put “player data” (it’s not really data because it’s not the saved values, it would just be responsible for grabbing/displaying the value of a certain item a certain player has) in a place accessible by local scripts.

To recap: Is putting player data information, not player data, in a folder accessible by a local script bad practice/unsafe? I don’t really know how much control exploiters can gain over your game, can they change the values of the information, in this case, it would be int and bool values? Also, is using remote events/functions as a way to transfer saved data to a local script an unsafe practice?

Thanks for any help, if you need more information I’ll gladly post more

If the information stored is sensitive, it generally isn’t a good idea to make it accessible from local scripts. You need to remember that if it is accessible from a local script, it is accessible from the client and therefore an exploiter can theoretically gain access to it.

In your case, remote events and functions would be a good idea, which the server can make certain elements of the information available to the client depending on what the client needs access to, but no more than is needed.

Thanks for the quick reply! In my case, would you consider my data – a preview of the saved values – sensitive data? And if I were to make a folder filled with this information, would the exploiter be able to edit any values?

If you save this folder server-sided, an exploiter would not be able to change the data inside as long as you have FilteringEnabled set to true (it should be on by default). They also wont be able to view it if you save it in a secure location such as ServerScriptService or preferably ServerStorage. Anything in those are only accessible to server-side scripts.

As to whether the values are sensitive or not, I wouldn’t be able to say without knowing what the values are used for, but generally it would be good to just have the values in a server script variable rather than a variable instance.

Okay, I get what you’re saying, putting more information than needed, especially if its viewable from the client, is usually a bad thing.

Thank you

No worries, glad I could help.
Happy coding!