Hey all!
Had a quick question about remotes, and specifically what exploiters are able to manipulate when sending data to the server.
I understand that exploiters are able to control most data that their client sends to the server via remote events; however, once that data reaches the server in the “OnServerEvent” event, one thing that is always sent is the player’s player object. My question is: are exploiters able to manifest this player object, or does roblox always take the sender’s user id when the remote is called?
There’s also the issue of overloading the server. Do exploiters have the ability mass spam remote events to the server? Part of my game allows the player to click on a button, which creates a part on the server side of things. Can exploiters abuse this and send, say, a thousand events the the server at once?
The player parameter is built into the function, so nothing the exploiter can send through a remote event can change the player who fired object.
And for your second question, yes. You need to have some sort of debounce in the onserverevent function that prevents exploiters from actually executing the main purpose of the function over and over repeatedly.
are exploiters able to manifest this player object, or does roblox always take the sender’s user id when the remote is called?
No. The first argument passed onto OnServerEvent is always the Player instance.
Do exploiters have the ability mass spam remote events to the server?
Yes, but it does not affect the server much. Spam firing events to the server will very quickly increase the client’s memory and crash them. The server limits how often a remote event can accept a player’s request: Release Notes for 337 - #3 by Defaultio