How to send the client data to server? (and prevent hackers)

Hello, everyone. I’m currently working at new game, that mainly uses client.
so I want to know how to send client data to server.

sending data to server is easy, just I have to send data using remoteevent or remotefunction.

but in this way, hacker might use exploit to send hacked data using remoteevent or remotefunction.

so, I thought sending data with code can prevent hacker to send hacking data. like using accountage, and tick() function and some calculation. but from me, It is hard to understand code. so I need the idea.

image1280×720 100 KB

so I want your opinion, how to send client data to server preventing hackers. Thanks in advance

put special keys into your argument when u :FireServer(specialkey)
and in your serverscript check the keys if correct
sorry im noob, there are better solutions, but this is the simplest one I can provide

In ROBLOX, preventing hackers has always been a cat and mouse game. Just never trust the client, do the checks(e.g check if they have enough money to buy a sword), Even if you make some sort of crazy algorithm to prevent hackers, I guarantee it will be bypassed eventually.

yes this guy is right.
but do the checks at serverscripts
to be honest, check is really the only important thing

hm. It’s hard to don’t using client, client is required to play this game.
so, I think changing code every they found the algorithm is not a bad idea.
like checking in V3rmillion or something and If they found algorithm.
It’s hard to get the content of script (I think), so I think it is better one.

Doing checks on client and server is better, let me give an example:

Only server:

Player wants to buy a sword
Sends remote to buy a sword
Server checks it

Client and server:

Player wants to buy a sword
Client checks if player can buy a sword --This time if it fails the remote doesnt get sent to server which means server doesnt have to be busy with the checks
If checks success, then send remote to the server

stated in Law of Lua 65.3 Sector C, that checking in both client and server is particularly useless and small brain.
This is due to client never does job better than it can.
When an exploiter changes a value locally, it will bypass the client checks anyway.
So adding client check doesn’t buff the protection, it is better to stay alone with server check itself.

Hmm. so changes of data will be operated by client, so they can’t check it from server.
sorry for solving problem harder

Yes, and that means the server won’t detect any changes that you made on client and it will act like they have never exploited.

Anyways, we’re on a different topic, now we are talking about transfering data from
client to server, right?

This is one of the misconceptions when it comes to anti-exploits. Whatever you do on the client is visible to the exploiter. If you pass a key, the exploiter can track what arguments are passed and just fake the key.

As mentioned numerous times above, preventing exploiters isn’t as straightforward as it seems. You can’t patch all exploits at once, and anyone claiming to have done so is most likely lying. Loopholes are going to be found and exploited by anyone looking for them, and it’s your job to patch them.

In short: utilise sanity checks on the server when receiving tasks from the client and focus on patching not preventing.

Like the other posts, doing checks on client and server can shave off some kiddies. Since the server can access more than the client, it shouldnt be too much of a problem to prevent shop exploiting. For example,

--client
local function buy(item) -- have it be a ModuleScript that holds info about the item
   local confirmed = game.ReplicatedStorage.Buy:InvokeServer(item)

    if confirmed then
        --the purchase is valid and you can display something here if you want
    end
end

buy(game.ReplicatedStorage.ShopItems["ExampleItem"])

--server

game.ReplicatedStorage.Buy.OnServerInvoke = function(plr, item)
    --now we let the server do the checking
    --lets check if the item is actually what we want and not some shenanigan the exploiter tried to pass

    if typeof(item) ~= "Instance" or not item:IsA("ModuleScript") then return false end

    local iteminfo = require(item) --like i said, have it a modulescript so we can access its info easier
    if plr.Stats.Currency.Value >= iteminfo.Price then
        --you can change it to your currency, and the price value in the modulescript
        plr.Stats.Currency.Value = plr.Stats.Currency.Value - iteminfo.Price
        return true
    else
        return false
    end
    
end

This is more of an example of how to somewhat avoid hackers. I dont use this, but i’d figure it would help some people who are using ModuleScripts to store item info. Its not 100% foolproof, eventually they will find a way around it, but it should stall them for abit.

thats why i said its simple, dont be mad
i use bad exploit and i cant do that, so it can reduce the amount of exploiters!
dontbanme

I wasn’t “mad”, I was just stating that malpractices should be avoided. And also, while you shouldn’t be confessing to using exploits here (especially since all forms of hacking including white hat hacking) is forbidden, experienced exploiters can and will break through the easiest of anti-exploits.

Well, this depends on what exactly do you want to achieve, i think you made this thread with the reason to prevent hackers from sending fake or hacked data to the server with a script, could you explain us what do you want to do, i might help you, it depends on what is the case now .

I want to know the idea of preventing fake data, or what you’re going to do when preventing fake data.

PS:
data is contained into client, want to send to server.

Unfortunately, this will not stop anyone exploiting. They will get your code and use it against you.

The only way you can safely and accurately prevent exploiting is to do sanity checks on the server. Everything else is fluff.

Doing a sanity check is as easy as checking if the player really has enough money to buy something. That’s it… no fancy keys required. As long as you never trust the client and check the arguments they’re sending you, you will never run into problems with exploiters.

You should have the mindset that everything received from the client is malicious, and you should run code on the server to do a check on this data to ensure that it is what was expected

It honestly depends what you’re passing along the remote event / remote function, if you’re passing along a request for a user to buy an item, the only thing you should really be passing is the request, and name of the item, and on the server end you should check if the players money if sufficient, remove it, then give the item.

Could you specify what data you will be passing through the remote events?

It will be like score and key per data, like RoBeats thingy game. not like that, but sends that.
and let clients to read their data.

Ohh. It’s kind of right, but I want to know how RoBeats does because my game is related to RoBeats, using Keyboard.

If your whole game is based on what the client is doing, I don’t think there’s a way for the server to accurately control what they are passing to you.

I would say this situation is similar to the Lag test game , since the whole game is ran on the client, which spawns blocks on your end without the server having a say in what is spawned, and clients are able to send data to the server and the server can’t really check if their score was valid.

The only thing I can think of if having the code be ran mainly on the server, and sent to the client to run, however dependant on the game, this can affect the latency, but will limit clients from being able to send too outrageous responses. Or, if you can find another way for the server to have a say in what the client is doing, that may also work.