How Should I Deal With a Possible Weapons Exploit Vulnerability?

So I have a game with lots of weapons and so each weapon has an ID number so the server can determine what damage to assess and what visual to play. If I only use one RE for all weapons, then I have to send the weapon ID to the server from the client. But then an exploiter could get the ID of a better weapon and just replace it in the local script (or change the IntValue in the weapon). That seems like a major vulnerability. I could create a unique RE for each weapon type that would send it to a certain weapon server script. But again an exploiter could learn which RE is related to which weapon and make a change to the local script. Same problem.

I can’t have the server track which weapon a player should be using because a player can choose from among a number of weapons in their inventory. The client has to tell the server at some point, which weapon is being used. But if a player has weapons A, B, C and C is the best of these, then an exploiter could just change the local script so all three weapons tell the server that they are C. I could check on the server to ensure that the weapon kind is in the player’s inventory, but that doesn’t avoid this exploit vulnerability.

Perhaps, I could assign random ID numbers to each of the weapons, for each player, each day? But this doesn’t really help–an exploiter could still get the number by using the simple print function. Change the IDs multiple times a day? But even still, I have to send them to the client at some point so the client can tell the server what weapon is being used.

Change the weapon IDs AFTER each use? So after an exploiter might have seen it, the number changes before the exploiter could plug the number into another weapon’s local script? This seems onerous to avoid a theoretical exploit.

Is this an exploit vulnerability that I should worry about? If so, any other ideas on how to deal with it?

Maybe just checking that the weapon is in the player’s inventory is enough. Since the server determines the ammo, if a player has 2 As, a B, and a C (the best weapon) and exploits by giving one of the As the ID number of C, then the player is still using the C ammo. The player is just using an odd visual for the weapon. But since the server is determining weapons, an exploiter could not get multiple C guns or extra ammo because the server wouldn’t find the ammo or weapon in their inventory. So perhaps this is simpler than I thought. Agree? No? Missing something?

I’m not sure if I fully understand what your problem is, however, I don’t think changing the IDs of the weapons will be necessary.

Remember that the client should be asking the server “can I buy/use the weapon of this ID?”, with the server proceeding to check the currency/inventory to see if said client should be allowed to do so.

Also, remember to add server-side sanity checks. For example, if a client fires a remote event that’s supposed to have a weapon ID as a parameter, check (on the server) that the argument sent over is an integer within a valid range (as opposed to another data type).

Sorry if I didn’t address your issue well, it was kind of confusing.

Sorry for not being very articulate here. I think your solution is good. Having the client get permission from the server before using a weapon is a good solution.