I have a system set up where when a player clicks a GUI button, it fires a RemoteEvent in ReplicatedStorage, and then a script in ServerScriptStorage detects when it is called. Once it is called, it will teleport a desired about of players to a new game. I have the teleport system and all that working, however I don’t know how to make it where exploiters can’t fire that event from their local script.
Possible Solutions
I thought of a few solutions that MIGHT work, however it is not a 100% guarantee.
#1. Rename the events to something strange such as “x13uF”. - The problem with this is that exploiters can still figure out what that event does.
#2. Use a debounce. - This could work however if the exploiter fires the event once when it isn’t supposed to be fired, it is still pretty crucial damage.
#3. Use tables such as this. - I think this could work however I didn’t really understamd much of what he was saying [as I am more of a builder].
If anyone can help that would be greatly appreciated. I am willing to work hard to fix this as it is a game-crucial event. Thank you!
It is practically impossible to prevent an exploiter from firing events, because events are made for client - server communication or vise versa. What I recommend is ensuring that you never trust the client. By this I mean always do checks on the server, and never let the client perform actions via events. So lets say you had an event where a client wanted to buy something. If in the event the client sends the amount the item costs, they can simple edit that to 0 or something and will get said item for free.
Remember that a client can see anything on their computer, which means they can see all your events and their names if you allow them to (which is necessary for client to server communication).
Since you are waiting for a specific player to click a button, you can check whether the player which fired the RemoteEvent is an authorised player. If it isnt, just ignore the event.
You shouldn’t try preventing exploiters from firing the event in the first place, that is now how you do it. You should know that exploiters are clients too. What you should be doing is NOT trusting the client and validating remote requests. If exploiters firing your remotes is causing a huge issue, I’m sorry but there is a problem with your remote communication that needs to be addressed. Renaming remotes is security through obscurity - which is the worst way to go about this.
If I am wanting to fire an event when a player clicks a GUI, is there anyway you know of that for the most part prevents exploiters from firing it? Or is there a way to make it where the event isn’t fired from the client?
I mean checking the distance server sided. If your worried about a player teleporting to said object, you could include a anti-exploit script for said teleportation. I’m pretty sure it’s impossible for players to change the way the server perceives their location (feel free to correct me if I’m wrong tho ).
Looking at it, I’m not entirely sure why you need to prevent exploiters from firing the event. Could you give a bit more insight onto what it specifically does (the event)? Like do you need a certain amount of x to teleport to said place?
No, because the player will 100% exist in game.Players, otherwise they wouldn’t have been able to fire the event… unless they fired it and left straight away.
Basically I am making a story game with a “VIP” ‘car’ feature. If the player buys a VIP car, then they can decide who is let into it. They can also decide when they want the game to start. I have the rest setup except the start function.
I’d suggest just going with what incapaxx said and simply validating checks, kicking players for abnormal arguments is not recommended if you care about UX
).