Everyone says to NEVER EVER use InvokeClient() because exploiters can do not-exactly-specified evil things to the code. Is it just about yielding, that exploiters can never respond and the script will wait forever? That wouldn’t be hard to protect against… I was guessing they can also return some incorrect values (a string instead of array) that would cause errors, but it’s still easy to add sanity checks.
My question is, is there anything besides yielding or returning incorrect values that exploiters can do when I call InvokeClient()?
In my case, I want to get text from player’s GUI but only when the server requests it. I saw people suggest using RemoteEvents twice instead, but that does not remove problems with neither yielding nor false values.
Bad structure. Server must be always the one who holds the value, not client.
This is basically because we can hook any other function to the Remote. Simple.
The section Warning in the docs should clarify things, you either have infinite yield, or effectively an error which can occur and lead to problems on the server script.
RemoteFunction | Documentation - Roblox Creator Hub
Regarding the infinite yield on remote events, there wouldn’t be one because it doesn’t yield for remotes unless you specifically make it yield. False values are always a problem that need their respective sanity checks in place.
I think it’s more about it encouraging bad practices, because the given reasons not to use it also applies to any other server-client communication paradigms. InvokeClient() is more prone to oversights and more likely to run into those kind of issues, but that doesn’t mean the recommended alternatives are necessarily immune to the said issues. Yielding is a big issue but using RemoteEvents for asynchronous communication avoids that. In general, anything coming from the client should be sanitized and rectified.