How would you add points safely

I’m wondering something. So if you want to add a certain amount of money to a player and you want to make it safe from exploiters, how would you do it.
If you just use the remote event to add money in server script, can exploiter just fire that event and add money. I’m wondering is it possible to do this in a safe way. Thanks

they can fire the event any time they want, BUT it wont work for them if certain conditions aren’t met…

how did they get this money? 
how much money is being given?
how much money is being taken?
did they even have enough money to take?

these are called ‘Sanity Checks’ and you’ll probably have to be more creative then this depending on your game content.

1 Like

Whenever the client makes a remote request it should be treated as “server may I do X” instead of as “server I will do X”. Never trust the client. Why do you have a remote that arbitrarily gives points in the first place?

1 Like

@incapaxx is right

you wouldn’t have a remote event that JUST gives money.
you will need multiple remote events that give money based on certain actions and they’ll each have their own sanity checks.

1 remote event for picking up money drops
1 remote event for buying certain items
1 remote event for selling certain items
1 remote event for getting random money
1 remote event for players trading money


1 Like

I think this all comes down to how your game works.

If you can handle it all on the server, definitely do! However, this isn’t an option most of the time so you have to split it up between both the client and the server. A common rule of thumb is never trust the client.

As others have mentioned, it’s ok for the requests to come from the client, but always run them against a series of checks to be sure that they are what you wrote and not someone trying to rig the system. Anything done on the client cannot be 100% verified so it depends on how tightly you’re wanting to secure those requests.

1 Like

So should I add points inside local script?

Would you be able to give a little more in depth description on the mechanics of these points in your game?

1 Like

no a local script will be ON the players computer. (Whether in memory or physically) so it’ll be easily exploitable.

money is sensitive data, so the value has to be updated BY the server. (which is why we use a remote event)

you will only want INPUT events (mouse clicking, key presses, gui events, ETC) in local scripts. these INPUT events will fire the server and ASK the server if it can do something.

1 Like

No, as this very likely wouldn’t replicate to the server. Even if you used a way so it did, anyone could come by and change it to whatever they wish. Fire a remote from the client and then validate and approve (if necessary) on the server.

1 Like

It completely depends on the context. Each action should be processed on the server in a way that it doesn’t trust the client. You can implement that however you want!

1 Like

THANKS Everyone. I got mine working and it has good security to it. Again thanks :slight_smile: