“As I’ve been developing on Roblox recently, I’ve been learning a lot about the risks of RemoteEvents. I’ve come to the conclusion that I should create RemoteEvents only when absolutely necessary. However, even with that in mind, I still feel the need for validation procedures. I’m wondering if a RemoteEvent that retrieves user data upon being touched is acceptable. I’m also anxious about whether even this should be avoided, and I would appreciate it if you could let me know.”
Could you clarify on the user data part? What exactly would be acquired? Is the server acquiring it or is the client acquiring it?
It’s about user attributes, for example, just bringing in whether it’s a Humanoid and collecting it on the server
why would you need a user attribute from the client to check for a humanoid, unless I am missing something.
You can easily do that entirely server-sided
A RemoteEvent taking in client-provided data is as dangerous as you let it be, of course with varying danger, depending on the use-case. As long as you do proper sanity checks on the server, then you don’t have to worry because you’ve done it all right on your end, if a vulnerability caused by Roblox was to be found, then it’s Roblox’s fault, not yours.
Do sanity checks on all client-provided data, sanity checks is validating data, such as confirming that the provided data type is of the expected data type, validating that numerical data is within any set boundaries, or that a confirmed string’s size is within limits.
The saying “never trust the client” couldn’t be more true, not protecting the server against client-provided data could lead to exploiters ruining your game, one example being players duping items, potentially ruining the game’s player-driven economy, if such exists.
You shouldn’t be scared of receiving data from clients, instead be cautious and validate data, before doing actions on the server based on the provided data.
1 Like
It’s not possible to create a multiplayer game on Roblox that doesn’t use RemoteEvents/BindableEvents, unless the game is extremely basic and/or boring.
You can’t avoid exploiters trying to exploit your game, but you can do your best to validate all data being received from clients before allowing the respective code to execute. E.g. ensure the character is in the right position, the number they’re sending isn’t higher/lower than permitted limits.
Just go ahead and make the .Touched event trigger your RemoteEvent - exploiters WILL be able to just teleport themself to this part that is to be touched, so just ensure that the player has gotten there legally if possible (such as constantly monitoring the position of players, and if they move too fast then teleport them backwards).
1 Like