Preventing Exploits when players use a Buy Button in a Shop

TheM0rt0nator · December 21, 2018, 8:06pm

In my game, there are shop UIs which contain buy buttons to purchase items. This uses a remote function to Invoke the server to take the cash away and give the player the item. One of the parameters in the call to the server is the LocalPlayer.

It has come to my attention that there are exploits out there which allow players to run local scripts, and can therefore use these remote functions to exploit the game. This doesn’t really matter if they are using it for themselves, but they can put other players into the remote function using the Players service, which means they could make other players buy something they may not want, causing them to lose cash.

Is there any way I can make sure that the call from the client is affecting the player which sent it?

Autterfly · December 21, 2018, 8:08pm

The first argument to OnServerInvoke and OnServerEvent should always be the player that actually called up the remote. I’m fairly certain this is a guarantee by Roblox. Any arguments you manually pass, however, could always be literally anything.

TheM0rt0nator · December 21, 2018, 8:21pm

Ah okay, thank you!

TheM0rt0nator · December 21, 2018, 8:47pm

Turns out I was using :OnServerInvoke instead of .OnServerInvoke. This solved the problem. I didn’t know they worked differently?

OverHash · December 21, 2018, 9:04pm

Using : is generally for calling functions with parameters e.g:

RemoteEvent:FireServer()

Whilst using ‘.’ is generally used as a callback to a function, or an event. example 1:

RemoteEvent.OnServerEvent:Connect(function()

end)

or

RemoteFunction.OnServerInvoke = function()

end)

A final note: (I’m not 100% on this though)
Using : invokes a self parameter as the first parameter.

Forum question

How did you get the Programmer role? I can’t find anything in the settings, if you could explain that’d be great (or point me to an article I can’t seem to find)

TheM0rt0nator · December 21, 2018, 9:06pm

If you click on your character icon in the top right and then click on the setting icon, and in there you should be able to change your title to anything you want. Thank you for the help!

colbert2677 · December 21, 2018, 9:26pm

Never pass the LocalPlayer as an argument, it is done so automatically as the first argument of OnServerInvoke and OnServerEvent of both remote types. After knowing this, it’s just a matter of acting based on which player requested the purchase via that argument.

Autterfly · December 21, 2018, 9:28pm

No not completely. Functions can be defined with : too. The . just means it’s indexing something, while : means it’s calling it or defining it as a method to an object.

function RemoteFunction:OnServerInvoke()

end

Should work.

OverHash · December 21, 2018, 9:32pm

Aha, that makes more sense. I knew I was missing a small piece of the puzzle!

blobbyblob · December 21, 2018, 11:54pm

To add to this: the function is defined as if the first argument was the parameter self.

local t = {};
function t:operation() --equivalent to: function t.operation(self)
    print(self); --self is an implicit parameter.
end
t:operation(); --> table: xxxxxx
t.operation("foo"); --> foo

I find it helpful to know what’s happening under the hood. When I first learned Lua, figuring out when to use : and when to use . was not obvious.