I have a remote function which tells me what item in the store is selected in order to open the corresponding skins tab when they click the the skins button which is set up like this:
client:
server:
My question is, could a hacker simply change the client script where it says itemnumber = and then put whatever value they want here so when they do click it then it opens a different skins page(ie if they selected weapon 1 which they own but had changed the value of itemnumber to 2 then would it open weapon 2’s skins page)
They can change it. But, if they don’t get the skins and it’s just visual then that’s okay (so they don’t get the actual skin but it’s only shown, assuming you purchase it).
It also seems like you have your skins stored in the GUI already, so there really isn’t a point in retrieving it from the server when you can do it all on the client (there’s no point of sanity checking on the server when the exploiter already has access to it on the client).
Absolutely; anything on the client can be manipulated. For this reason, it becomes necessary to run checks consistently (I.E. make sure that the Player owns the item before allowing them to open it). On the other hand, it would be entirely possible to simply bypass this step & use Dark Dex in order to enable the frame via simply making it visible.
This tab (skinsframe.itemnumber) is where they would purchase those skins, so if they had selected itemnumber1 then the skins page for itemnumber1 would open, so if they could just change itemnumber to 2 and then open the skins page for that they would then be able to buy those skins despite not owning itemnumber2
I could do a simple check if they own itemnumber everytime they try to purchase a skin from the skins page for that item, but if possible id prefer if I could just make it so that page isnt possible to be opened at all
Then that’s a design problem. You should always do the necessary sanity checks on the server. If the exploiter can see it on the client, you can’t change that. You should be checking if they own the current skin page on the server when they try purchasing the skin.
@Fid6et the method wouldn’t work because the exploiter would just get the name or id of whatever they’re trying to buy. They don’t nesseccarily have to click any buttons.
Going on from your idea, if I put the skins tab in storage until it was called on I would still need to use itemnumber to get the right frame and so it could just as easily be changed to copy any frame into the players gui or can the serverscript paste the frame into the players gui?
edit: its probably irrelevant anyway since having a check everytime you try to buy the skin stops anything from happening and im not too bothered about an exploiter being able to see the skins page if they arent able to do anything with it
