How do i stop an exploiter from saving to someone elses data?

I want to make my own robust dataStore system. It should save maybe once every 10 to 15 minutes in order to keep player data safe. One problem I have is exploiters. Remote functions are going to be used for saving, but if they send in someone else’s player object then they can back up that person’s saving. This can cause their data to be delayed by a significant portion. They can also send in things that the server can trust the client with, such as custom settings, and it would just be a major inconvenience to the other player.

I have been programming this and I just came across the thought. I haven’t actually had the issue yet, I just want to avoid it in the future.

I have almost implemented a way to stop a player from saving too frequently, but there are more problems caused by that.

Any help is greatly appreciated

TLDR: Datastore saving functions aren’t secure because remote function’s default “player” value can be changed by exloiters, How can i fix this?

1 Like

I’m not sure if I really understand what your trying to do. You want to save players data every 10-15 minutes using remote functions. u don’t need remote functions

	while wait(math.random(600, 900)) do
		-- save data
1 Like

An autosave timer should be entirely server-sided, void of any responsibility given to the client. It’s wise to never trust the client with something critical let alone something that allows them to manipulate someone else’s data

If you have to use RemoteEvents to save, say a manual save button, the server already captures the Player object as the first parameter of the event. You can use that instead of needing them to also specify a player object as an additional parameter.


ah, true. How will i save something that the player has full access to such as settings while having it secure?

1 Like

i know it already has a player object, but that can also be tampered with, cant it?

No, it is impossible to tamper with the Player object. The OnServerEvent will ALWAYS be the player who fired the RemoteEvent.


games like pls donate use attributes i think

when the player joins
they load the saved data to the attributes

when they update there settings in game
it updates the attributes instead of data store to prevent throttling and data store packing up

when they leave they save the data store from the attributes.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.