Is the "Player" parameter of a click detector spoofable?

Hi! Very basic question. I just want to know if an exploiter could spoof the player parameter of a click detector.
For instance, an exploiter could trigger a click detector and make the server think it came from someone else.

Based on the knowledge I currently have, this parameter should not be possible to spoof, but I want to check and be sure. Thank you.

1 Like

Someone correct me if I’m wrong, but the exploiter cannot exploit any parameters auto-passed. Even if they could, the event would only fire for their client anyway, the server wouldn’t detect it.
e.g.
If an exploiter fired a RemoteEvent, they couldn’t control the Player parameter server-side.

Yes I believe this is correct, I would consider two cases:

  1. If you have a server script and use the player object, this cannot be manipulated
  2. If you have a remote and you fire a “player” object, this can be manipulated as this is info sent from the client to the server

TLDR: You can use the player object with no worries!

Yeah, I just kind of assumed not to mention that because there’d be no point having the Player parameter twice

Thanks for confirming :smiley:

Thanks! I knew it worked that way for remote events, but since click detectors haven’t been updated in forever I wanted to make sure they weren’t firing a player instance from the client. Thanks for the help everyone!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.