Values can be hacked?

I’m working on a game and im going to set some stuff in values, and my question is that the values can be changed by hackers? That’s it, thanks for reading :+1:


Yes they can, but as long as you don’t let them arbitrarily change it on the server, this won’t be an issue at all.


What do you mean with arbitrarily change? I’m not too good at english…

Values are visible to both the client and server depending on the location they are in. The client (an exploiter) can change that value all they want, however it will only appear on the client. Other clients will not see that value change.
Only the server can change the value to show up for all players.

1 Like

Like whenever they want to do it

As long as you change them on the server, you should be fine, if you change them on the client, yes, they can be changed.(Also, do all checks on the server, not the client)

So, setting a value, the hacker can change it but the server will see the value as the default that has been selected?

If an exploiter changed it without a remote, the change will not replicate for everyone else thus be useless.

The tables turn if you have a remote that does this – they can abuse that remote if you don’t have proper sanity checks.

1 Like

The server won’t see that change. It’s like pulling something out of your pocket when nobody can see you. Nobody is going to see that change. Only you.
In the same example, lets say the server (or another person) put something in your “pocket.” Both of you would see that.

Only the server can change a value so others can see it.


Do you know any solutions to it?

There’s no solution to it. You can’t stop the client from modifying their side. You just have to ensure the server handles everything possible.

By either

  • Not having such a remote
  • Have such a remote, but with proper sanity checks. Don’t let the client tell the server what to do.

Local anti exploits are almost pointless, they can be bypassed. There is no 100% way to secure a client. And that’s a good thing imo. Player movement and stuff is handled locally and it replicates

And the hackers can change _G values? i’m thinking about use that.

_G would not do anything here. There is a separate _G table on every machine. Server has its own _G, other clients have their own _G. You shouldn’t be using such anti-pattern anyways.

Basically, anything that has to do with checking things(like stats, or user data values in general) should NEVER be done on the client. Always do it on the server.

Just so this isn’t too misleading, it’s not that you should never do client checks. There can be reasons to do client checks. One example being if your game is completely client-based and probably uses UI only. So a 2D game essentially. Or maybe you want to change the color from red (locked) to green (unlocked) of the AK-47 button in your game when you have enough money to buy it.

Here is how you do it.

You have the client Guis (player guis) ask the server if it’s allowed to have something.

The server then goes "Ok let me see. Well your profile says you have enough gold. It says you have the level requirement, I will allow it. And then it sends a message back saying “I allowed it.”

The player can’t change the value. The player can’t see its gold value. The player can’t see its level or unlocks. Not the real ones. It’s can’t see any of that.

The player asks “Can I open a gui?” by moving to spot or clicking something. The server says “Ok so PLayer 1 wants the shop gui to come up. Should I allow it? Yeah. Player 1 open your Shop Gui. Here is some info about your Gold and level.”

Player 1 sees the gui open. They then see the message about how much Gold they have and the level. Yeah they can then buff those to the max with hacks. Now lvl 100 now Gold 1 mill. They then ask the server “Can I buy the next level?”

The server then looks. “Ok so you have 5 gold and your level is 4. No.” It then sends a message, saying “Open the Gui that says ‘You can’t afford that’.”

So they can hack their eye candy all they want but they can’t access the values that the server has. They can’t see the real money. They just see a number written on a piece of paper.

Now the other thing is possibly altering the walk speed since that’s in the player Humanoid. Where that’s the case, you can have the server go around and set everyone’s walk speed to a setting all the time, or maybe check the player speed and if they have hacked it, have some consequences. Not sure how that might play out but that’s where I’m a bit unsure as to what one can do.

TL;DR: use common sense when designing your game and you’ll be fine

For the longest time, Roblox games were extremely insecure. I mean REALLY insecure. The client (the player’s computer) was allowed to make any arbitrary change they wanted, which replicated to the server (Roblox) and all other clients (other players on the server). A hacker could do literally anything they wanted, and there wasn’t a darn thing you (the developer) could do about it.

However, times have changed. A nifty property of Workspace was introduced (and is now enforced) called FilteringEnabled.

Keep in mind: When FilteringEnabled is off, Experimental Mode is on and vice versa

So technically, no. The client cannot change values by itself. Anything they change will only appear for them and them only. Assuming your game is securely designed, you’ll be fine.

You may be asking, “How do I secure my game then?”

Here’s an example of bad practice of client-server communication. Let’s say, we have a shop. A car shop. You (the client) want to buy the top-of-the-line 2021 RoClaren for a small loan of $250,000 in-game currency. Since the client can’t directly edit their money and give themselves the car, the client requests that they have their currency removed, like so:

-- client

local event = game.ReplicatedStorage.BuyCar

event:FireServer("RoClaren", 250000)
-- server

local event = game.ReplicatedStorage.BuyCar

event.OnServerEvent:Connect(function(plr, car_name, price)
    plr.leaderstats.Money.Value = plr.leaderstats.Money.Value - price
    -- give the player their car

This clearly works, so what’s the issue? Well, this is the same thing that FilteringEnabled=true implies: [color=#FF7700]NEVER and I mean NEVER under ANY CIRCUMSTANCES trust that the client sends CORRECT data.[/color]
For example: What if a hacker comes along and…

event:FireServer("RoClaren", -9999999) -- this is a negative amount

The server is subtracting a negative value from their currency, and subtracting a negative is like addition: it’s adding +9999999 currency to their Money value. Congratulations! Your game just got exploited.

How would you properly secure this then? Any reasonable person could do the following:

-- server

local prices = {
    ["Doge RAM"] = 35000;
    ["Bored F-150"] = 40000;
    Cybertruck = 100000;
    RoClaren = 250000;
    Rogatti = 400000;

event.OnServerEvent:Connect(function(plr, car_name)
    if not prices[car_name] then return end
    -- car with that name doesn't exist

    if plr.leaderstats.Money.Value >= prices[car_name] then
        plr.leaderstats.Money.Value = plr.leaderstats.Money.Value - prices[car_name]
        -- give them their prized posession

This is much more secure. In fact, there is no possible way for the client to exploit this system. Yay! :tada:

So ultimately, it takes a bit of common sense to design a secure API. It’s why “Free Robux” scams are always fake. The Roblox API (and most other websites’ interfaces) are designed to be unexploitable. So anyone claiming to have found a way is most definitely lying and should be reported.


@ee0w I just have been working on a shop and i asked to how change this shop to a server side script.
Well, i just got 2 scripts exactly like you, and i dont know if i should remove both? where i should put the script? Well, can you tell me?

@Steve_Speedy so i can do something like this?

function onClick() --I dont know how to write the click thing but this is an example:
print("Player want open the gui")
if Player.Coins.Value = 100 then
Player.PlayerGui.Gui.Enabled = true
print("Player cant afford")
Player.PlayerGui.Gui.Enabled = false

If you’re confused about the client-server model, you should read this article. It explains the difference between Scripts and LocalScripts and when to use them.

As for your code, there’s a couple issues:

  • You have too many ends. Consider indenting your code so you can easily balance them
function onClick()
    print("Player want open the gui")
    if Player.Coins.Value = 100 then
        Player.PlayerGui.Gui.Enabled = true
        print("Player cant afford")
        Player.PlayerGui.Gui.Enabled = false
end -- <-- this shouldn't be here
  • = is used only for assignment. var = 10 assigns var to the value 10. == is used for testing equality: var == 10 will return true or false depending on if var is 10 or not.
    • You should use >= in this case. Since you want to check if they have enough money, and not if they have exactly 100.
  • Important game logic like money should be handled on the server. It’s okay to implicitly check on the client for instant feedback, but make sure your server is sanity-checking everything.

For learning how Remote Events work, read this article. Seriously, the wiki is jam-packed with useful information.

1 Like