I am attempting to create a cash system of which cannot be exploited. I am no scripter so please explain with great detail. Please brainstorm comments on any ideas which can fulfill this task. I will forward this information to my colleagues. Thank you for reading, this is much appreciated.
1 Like
Many times, this topic has been mentioned previously:
In summary, secure checks on server from client input. Client checks are easily avoidable.
1 Like
May I ask for how one applies “secure checks” on server from client input?
for example, on the server you should store on the amount of cash the player has, and when they request to buy an item on the client you check on the server if they have enough cash, with a remote event. The key thing is to assume that anything on the client can be seen and exploited all major transactions must be done on the server.
Yes, that is an example. Though I wish to be informed of how.
this is a very basic example
--server script
local CashTable = {}--table to hold all the player's cash in a server
local BuyEvent = --a remote event used to buy an item
local Items = {
["Bat"] = 500
}
game.Players.PlayerAdded:Connect(function(player)
CashTable[player.UserId] = 100
end)
BuyEvent.OnServerEvent:Connect(function(player,item)
if items[item] then
if items[item] <= CashTable[player.UserId] then
CashTable[player.UsedId] = CashTable[player.UserId] - items[item]
--give the player the item
end
end
end)
--[[
i am checking on the server if the player has enough to buy the item, do not do this check on the client
]]--
Are they getting money when they should be? Say you want to make it so when they click on a part it gives them $500. On the client you would be checking what they are clicking on and then telling the server that they clicked the part.
A secure check on the server would be for example making sure they are close to the brick by checking the bricks position compared to their torso. Are they close enough? If so then let them take them get the money.
What about buying a sword? On the client they would be clicking their GUI buttons but then you would want to ask the server if they can buy this sword. A secure check for this example would be checking to make sure they have enough money for the sword and maybe even making sure they are inside of a shop. You would do this in a simple if statement checking that their cash is equal or greater than the price of the sword.
local Sword = require(script.NormalSword) -- Store data in a module script about the sword on both client/server
BuySword.OnServerEvent:Connect(function(Player)
if Player.Money.Value >= Sword.Price then
print("Player has enough for the sword.")
end
end)
Remember you can do these checks on the client aswell but you have to look at it from a perspective as if everyone firing the event is an exploiter. Assume every request sent is false and do every check you need to secure a request as possible.
just wanted to add what most games do is to have a module on the server which acts as a database, then you could have a built-in function to get specific data on a player from a particular key.
It is a system of which depending on the amount of time they spend in the game, they receive so much money.
E.g.
while true do
wait(timedelay)
for i,v in pairs(game.Players:GetPlayers()) do
if v:FindFirstChild(“leaderstats”) then
v.leaderstats[currencyname].Value = v.leaderstats[currencyname].Value + amount
end
end
end
You would just want to do that server side then, there would be no way of exploiting that if you just let it run on the server.
My concern was:
Anyone with admin sure, if you have an admin system in your game which allows an admin to run serversided code or manipulate stats then of course, they could give them-self money whenever they want. However if they have admin then its not really “exploiting” it. You are simply giving them the permissions to do so.
1 Like
Well, one may exploit to give oneself admin then so forth.
You cant just “Give yourself admin”. Thats impossible unless you have a backdoor or a really bad admin system.
1 Like
as long as this is being done on the server there is no way this can be exploited.
The code you wrote is completely fine and can’t be exploited. Just remember to leave that code on the server and ensure you don’t have any backdoors in your game (indicated by unexpected errors, attempts to require modules, plugins created by untrusted sources, so on).
I don’t know if the person who replied to you knows what they’re talking about. Admin scripts aren’t equivalent to exploits. An admin can modify the data by changing the value yes but if you have no admin script then this is a non-concern. Your code is secure enough.
3 Likes