Remote Events | Remote Functions : when to use them?

Help and Feedback Scripting Support
#1

Hi! o/

No code, but just a simple question about the concepts of this sort of coding.

So I have a game that I’ve switched FilterEnabled on. I’ve tested it locally with 2 players in-studio many times and it seemed to be working. For more accuracy, I even invited a friend to join a server and he said it was fine.

The problem I’m encountering is the question of: when do I use Remote Events / Remote Functions? Because while despite that my game seems to be working fine, I’m sure that I’ve gotta provide some security on the game as the developer.

I’ve read the Wiki many times, and hearing the line:

If a client needs to make a change that affects the entire server

…just sounds a bit vague to me?

My game consists of Touched events and even speed boosters to increase the WalkSpeed of players for a short period of time. Both have which have been written in Server Scripts. Are those things that should be accommodated with Remote Events / Remote Functions?

When it’s talking about a Client making a “change” to the entire server, is it referring to the scripts you created that can possibly allow the Client to change stuff?

Tried narrowing this post down to the best of my ability, so hopefully it’s not too confusing. Just want to get a clear idea of what I’m dealing with and hoping to get steered toward the right direction.

Thanks :woozy_face:

2 Likes
#2

You’ll need to implement sanity checks on the server if you want your remotes to be safe. So if for example your client wants to make a purchase, the server checks if you have enough money, not the client.

Those should be kept on the server. The server can do it and I don’t see any reason to use LocalScript for that.

It’s just referring to if you for example want to spawn a part from the client, you must use a RemoteEvent and server script to do that, otherwise only you would be able to see it.

4 Likes
#3

Whenever you’re making something with sensitive data (i.e cash) I totally recommend to handle everything on the server so that cash values can’t be manipulated with.

1 Like
#4

As you know, there are two parts of a game loaded when you join a Roblox Game; server and client.
The client is an exact copy of the whole game, that only the client sees. Game stats, progress, missions and basically; all factors of the game, are run and stored by the server.

This is where replication comes in. Replication is where the client “shows” something to the server or vice versa.

There are certain things that the server sees when changed in the client; these are; walkspeed, jumppower, player position (This is why speed hacks, teleport hacks and bunny hop hacks are so easy to make, because the server ‘accepts’ these changes. However if you change, for example, the stats of a player from the client, it does not replicate. This is because it is only handled by the server, hence the client needs to tell the server

Hey dude, can you change my money stats from 1000 to 2000 please?

Imagine the client as a person who is very far away, and has to use a telephone (remote function/ remote event) to contact the server, right?

The server always picks up the phone, though his helpers (server scripts) have to pick up this phone for him. Note, the helpers, are very strict. They have to check your current money themselves, and see if the client is trying to deceive him(use exploits) and if he/she has satisfied the condition for him to get his money changed
(completed mission, etc).

After that, the server changes the money for the client and he goes back to managing the game.

This is why you cannot change this stat from the client, since the server is far away, he cannot see this change. This change is then replicated to other clients, who then are able to see the change from their clients.

2 Likes
#5

For situations like that, how do you recommend maintaining that purpose of security, ensuring that the Client is not using a script to increase their WalkSpeed? I’d suppose that conditional statements would have to be involved like:

if player.Character:FindFirstChild("Humanoid").WalkSpeed > 50 then

Something among those lines that is ensured every few seconds. But of course that’s going to be frustrating due to the player’s WalkSpeed constantly fluctuating.

#6

It’s really simple!
When you need the client to send data to the server and vice versa you use RemoteEvents and RemoteFunctions! When you expect data back you obviously use RemoteFunctions else you could just use RemoteEvents.

When dealing with server security it all depends on how your game and server are constructed, however the easiest way to define it is : Do not let the client tell the server what to do.

For example : The client did x job and expects to receive y money, the client shouldn’t tell the server how much money the server should give it but only should tell the server that the client finished the job (with that being said the server can have checks if the client actually finished the job).

Changing your walkspeed on the client wouldn’t replicate but to fix physics related cheats I suggest checking the distance traveled and then checking if it’s logical with the current WalkSpeed, you can also use the physics equation Velocity = DeltaSpace/DeltaTime well DeltaXZ (Distance) is also fine.

In order to have a secure game you have to structure your server and make the client depend on it for important tasks, handing out money, damaging players, checking x and doing y.
The client shouldn’t be the one in control and it should question/get permissions from the server for important tasks it does.

1 Like
#7

No, the player’s walkspeed does not fluctuate unless you allow it.

Anticheats are best done from the server.
There are many ways to implemet anti speed hacks from the client, but it’s best done from the server. You simply take the position of the player, say, like every 2 seconds. The compare it with the last position taken. If these 2 positions are within proximity, and are reasonable distances to walk through, within 2 seconds, then the client is not speed hacking. That is the simplest way to implement an anticheat for speed hax.

Look at examples such as this

Make sure to look at people’s comments, this gives a better idea if you dont understand the concept. And you get answers to directly unanswered questions.

1 Like
#8

I just took a look at what you linked and all I have to say that it’s really bad, and shouldn’t be used at all.
Yes I know your intention was an “example” but even as an example it’s very horrible and will have a lot of server lag and false positives of course.

I think you should’ve linked something like How you should secure your game - A beginner guide for secure networking and developing anticheats It’s better (not saying it’s the best though).
Or something like Exploiting Explained

1 Like
#9

Sorry about that, it was just a quick search.
Anyways, I think it’s better for him to learn what’s bad before getting to what’s better. I’m not saying that he shouldn’t learn about security or ‘anti-exploiting’ now, all I’m saying is just he needs to first grasp the basic concept of FE before learning how to stop exploiters(which is way more tasking to understand than remote events).

1 Like
#10

The difference between remote events and functions is that a RemoteEvent is designed for one-way communication with the server or client. A RemoteFunction is designed for two-way communication, such that it can send information across the server-client boundary and then wait for a response from the other side.

Its also fairly good for game security, makes it harder for exploiters to exploit.

Remote Events

To define a remote event do:

game.ReplicatedStorage.RemoteName.OnClientEvent:Connect(function(player)
       if player.Character:FindFirstChild("Humanoid").WalkSpeed > 50 then
             -- do something here
       end
end)

This remote is defined on the client and called on the server, if you want to define a remote event on the server, replace ‘OnClientEvent’ with ‘OnServerEvent’ and call it on the server.

To call a remote event simply do:

game.ReplicatedStorage.RemoteName:FireClient(player)

make sure you call this on the server if its a client event and if its a server make sure to call it on the client!

Remote Functions

Remote Functions are basically the same thing as remote events but you can define them multiple times. For example, if i was in a situation where i need to both use the same remote event more than too times, you would use a remote function. The syntax from defining and calling is a bit different, so i will show you an example on how to do it below.

Defining a remote function:

game.ReplicatedStorage.RemoteName.OnClientInvoke = function(player)
       -- do something here
end)

Exact same way of defining the remote events, just the syntax is a bit different.

Calling a Remote Function:

game.ReplicatedStorage.RemoteName:InvokeClient(player)

This can be used in multiple cases! Same way as the remote event, but different syntax when calling!

Click here to see more information on remote events and functions!

2 Likes
#11

Remote events and remote function is like bindable event and bindable function that can communicate with server and client and reverse. If you want to do something on the client from server then you have to use remote events or remote functions.

If you want to secure your game you have to use remote functions/events. If for example a shop makes sure that I player got a certain amount of money to buy something then you want to player to have to amout in order to buy. If requirement is 100 cash and player has 150 cash, player will have 50 cash. But if you have this in local script then the player can exploit it and buy whatever they want and get negative money. If you use an remote event/function that make the check on the server instead the player won’t be able to exploit it

#12

(The reason why I’m here is because @UWURAWRZDAD linked my post haha, thanks)

So to answer your question, Remote Events/Functions are meant for the client to make requests to the server. Something kind of like “hey let me attack” or “hey let me build this block here.” Remote Events are one way. You Fire them meaning you’re passing something from the client to the server or vice versa, and the target is doing something based on what you’ve sent. Remote functions are more like functions, and they can return stuff back which means that the sender will also wait for the target to return (this means you have to include a return somewhere in the callback).

When to use them is a bit of a hard question, but it also sort of ties in with “what is the proper way to use them” so I’ll get into both. Firstly, there are some dos and donts with remotes which are important if you want to make sure your game is secure.

  1. All communication can be seen to and from a client by that client (a client cannot see other client’s remote calls since they are purely Client > Server or Server > Client directly). That means storing passwords in your scripts or anything won’t work since they can see that data being sent.
  2. You should remember that an exploiter can see local script and module source (albeit a little limited), which means that they can see how you use your remotes of the client.
  3. An exploiter can also fire/invoke a remote at any time they please, change their arguments and return data, and even suppress communication as they choose.
  4. An exploiter can override the callback of a RemoteFunction (specifically, a RemoteEvent will not have this issue) if they choose and suppress responses, and because RemoteFunctions wait for a response, this will cause the server’s InvokeClient call to yield forever.

So basically, remotes are simply meant to be used for simple communication such as sending some information to the client, asking the client to do things, or asking the server to do things. I like to think about it like two people communicating. You don’t know what the other person is thinking, so they can tell you, or ask you questions, or ask you to do something. But at the same time, if you asked someone for their banking details do you think they’d give you them, no questions asked?

Your answer to this is most likely no, which brings me to my next point. You want your game’s way of handling remotes to be coherent. If you have a DeleteStructure event, do you think it would make sense to let the client delete a structure they don’t own? Or delete something that isn’t even a structure? You probably don’t, so in your callback you want to make sure you’re being smart about what you do with a client’s request.

A common example of where this can go wrong is with money. Say you have a Donate remote so that one player can make a donation to another. Well, you subtract money from the donator, and add that money back to the target player. But, what if the client sends a negative amount? If you don’t check this value, this will subtract a negative amount from the “donator” thus adding that amount, and add a negative amount to the target, thus removing that amount, so, basically an exploiter could steal money from other players.

As for your game, Touched events behave much like remotes in a way, but it’s not as obvious. When a player touches an object, they (usually) tell the server “hey I touched this object.” And the server can decide whether or not it should fire a Touched event. For anchored parts, and I believe parts with server ownership, when a client tells the server “hey I touched this object” the server usually ignores them and won’t fire a Touched event, and instead, will fire that Touched event when it thinks that they had touched the part.

I hope I haven’t included too much here, as it is quite a bit to read, and I hope this ends up giving you a better understanding of what remotes are/do and how to use them.

2 Likes
#13

Reading all of these comments including this gives me better ease about Remote Events / Functions and what I should almost be expecting. Thanks!

Though, while I’m here, let me ask one more question: when making a game, is it smart to store values within the Client? Kinda like leaderboards, but just general BoolValues within the Character?

I’ve always heard the phrase, “Never trust the Client!”, yet I wasn’t too sure if Values or Strings count.

EDIT: The reason I ask this is because my game’s script is entirely based on the Values of the Character. These specific Values display the status of the Character and what their role is in the game. I figured that if FilteringEnabled is on, it should be fine, right?

1 Like
#14

Generally, the answer is always don’t store anything on the client. If you want to store info on the client you can, but the server should do all of the checking, and the client can simply use that data to know on its own what it can and can’t do. For example, the client could know when it could mine some block, and simply not mine it if it can’t, but the server should also check since that value can still be changed on the client (and only the client).

Basically what FE does is simply prevents (filters) the client from changing any instances for everyone else. They can change properties for themselves, and make objects for themselves, but they can’t make it show up for other people (except in a few very rare cases specific to things such as their character and tools, but this is still very limited)

2 Likes