Greetings,
While testing my game, I realized local scripts were extremely vulnerable to exploits on checking the existence of certain objects in a game.
Imagine if a local script in a GUI checks whether the player possesses certain value inside it. Well, what if, through exploits, they add that value to themselves. The local script will return it true, as the player has the value locally, despite the value not existing server-sided.
Is there a way to make server-sided checking on local scripts? Or some possible alternative method to achieve it? Thank you.
Previous attempts:
I have previously tried making it so the local script fires a server event, which checks it through the server whether the value exists, and then returns. But I had no success on it.
I have also tried to do this checking on the ending parts of the process. In this case, when the shop button was clicked, it would say equip, but when the button was clicked, the server sided function which equips the item would firstly check whether the value exists. From the theoretical view of this second attempt, it seems as if it should work fine, but it didn’t, as if the value existed server-sided. Well, that shouldn’t happen, only either if I messed up the script or if whoever exploited could insert values via server. (Doesn’t exist from what I know.)
I’d go with the first method you gave there (under your previous attempts). Only difference is you’d need a RemoteFunction for the return value to work.
You’ll need to ask the server to check for you if that value exists, if it does it will return and tell you that you can go ahead and do what you need to, otherwise it will return a ‘no.’
See what RemoteFunctions are and how to use them to send a request to the server and receive data here.
.
What I do is store player data, that is important, server-sided, on an array/table. When it needs to be required, simply invoke the server through a Remote Function from the client (local script) and you have your data. Always use server-sided sanity checks and you’ll be fine.
Edit: Anything stored on the client can be changed by the client.
This is irrevelant because the client can do anything they want with their GUI and anything that is local. It’s their choice to mess with it and you can’t really do anything about this. Just do checks on the server to be sure that the client has a certain item or has enough money to buy something. A good rule of thumb is never trust the client or always assume that they might be lying.
On the server be sure to store data and give the data to the client to read by using a remote function.
Well, until now, I never knew only remote functions could return values, so it is solved. I will be implementing it to my game soon, I thank you all for your help.