So basically, I’m making a shop for a Brick battle inspired game. This is my first time ever making a shop, and my method for labeling each shop item is to manually list them out in a table that’s located inside of a ModuleScript in Replicated Storage.
This ModuleScript would then be accessed by ServerScriptService and the local script to preform different functions relating to the buying and getting information of an item in the shop.
The issue is, I’m going to fire a remote event when the player hits the buy button, and I was wondering if the exploiter can spoof this, specifically if they can spoof the actual amount of money that they have.
You shouldn’t be sending the amount of money a player has from the client in the first place. The server should always be fully authoritative of the value of currency.
Shops are the most basic and common example when teaching the principles of proper design of client-server interactions. The client should be requesting the server to buy something, not telling it “believe I have this much, and give me the item”.
The currency is already set up in a ServerScript in SCS, and when I fire the remote event I’m not going to send the value of the players currency through the local script, it will instead be managed through the datastore script in SCS.
p.s., is there anything wrong with the method I’m doing above?
It can’t be spoofed then. Clients could change the value if, for example, you represent the value using ValueObjects, but the change doesn’t propagate to the server. The only way a client can spoof any data is if it exists on their end and you make the server use that value (or in other words, making the client authoritative of that piece of data, and therefore insecure design).