generic image
Processing...
  • Games
  • Catalog
  • Develop
  • Robux
  • Search in Players
  • Search in Games
  • Search in Catalog
  • Search in Groups
  • Search in Library
  • Log In
  • Sign Up
  • Games
  • Catalog
  • Develop
  • Robux
   
ROBLOX Forum » Game Creation and Development » Scripters
Home Search
 

Re: FilteringEnabled Security

Previous Thread :: Next Thread 
powerhotmail123 is not online. powerhotmail123
Joined: 11 Apr 2011
Total Posts: 5041
19 May 2015 01:50 PM
Hello all,

While developing my games, all of which are using FE, I was wondering if there was a potential security risk.

So, basically, when a player joins, I put some values into the player, an example is credits. Whenever the credits value is updated, a GUI updates to notify the player. The credits value is updated from when the server is awarding it. But, now that I'm making a shop system, I need to get the credits value so I can see if they have enough. Do I need to RemoteEvent my way through? Or if the player exploits the Credits value, will it change?

Thanks in advance!

Enjoying your stay at the Scripters Forum? Join this! http://www.roblox.com/My/Groups.aspx?gid=2582784
Report Abuse
nQqzRYVpIKA5jLP is not online. nQqzRYVpIKA5jLP
Joined: 05 Mar 2015
Total Posts: 4135
19 May 2015 01:53 PM
I don't get it, doesn't the GUI that displays the number of credits use the value stored in the player?
Report Abuse
rayk999 is not online. rayk999
Joined: 18 Feb 2011
Total Posts: 4705
19 May 2015 01:56 PM
Actually that's an interesting question. But instead of messing with more remoteEvents, why not use a RemoteFunction that'll handle the purchase from the server? And if it goes through finely, then send back an "all good" sign
Report Abuse
buildersteven4 is not online. buildersteven4
Joined: 08 May 2009
Total Posts: 1325
19 May 2015 01:56 PM
You should do all the "can I buy this?" checks and the "Give player this shop item." on the server.
Report Abuse
nQqzRYVpIKA5jLP is not online. nQqzRYVpIKA5jLP
Joined: 05 Mar 2015
Total Posts: 4135
19 May 2015 01:58 PM
Wait, so you mean you were trying to handle the purchases on the client? The client couldn't reward itself items, since they wouldn't replicate to the server, so the only for that to work would be for the client to tell the server via a remoteevent to give it an item. But then a hacker could tell the server to reward it all of the items. Instead, whenever a player attempts to purchase an item, use a RemoteEvent to tell the server the client would like to purchase an item. Then, the server can check the player's cash level, and if they have enough, subtract the cash and then give the player the item.
Report Abuse
powerhotmail123 is not online. powerhotmail123
Joined: 11 Apr 2011
Total Posts: 5041
19 May 2015 01:59 PM
@NQ

The GUI updates with the Credits Value.
The actual credits value, for the Datastore is created on the server. And that updates the Credits value on the player.
I can handle it server-sided, no problem.

But I just want to know if the Client can change the values on the Client, with FE on.

Enjoying your stay at the Scripters Forum? Join this! http://www.roblox.com/My/Groups.aspx?gid=2582784
Report Abuse
nQqzRYVpIKA5jLP is not online. nQqzRYVpIKA5jLP
Joined: 05 Mar 2015
Total Posts: 4135
19 May 2015 02:00 PM
Not unless the player somehow found away around FE.
Report Abuse
buildersteven4 is not online. buildersteven4
Joined: 08 May 2009
Total Posts: 1325
19 May 2015 02:05 PM
^ unlikely :)
Report Abuse
powerhotmail123 is not online. powerhotmail123
Joined: 11 Apr 2011
Total Posts: 5041
19 May 2015 02:07 PM
That post was for your first post.

Ok, so I'll just handle the purchases server-sided. But now, I have something called ItemCodes. These are just values inside a folder, of the player instance. They are going to be changed whenever the person buys something in the shop. They aren't stored on the Server. I'll give an example:

Say somebody bought a water bottle, I would handle the purchase server-sided.
Then, if they equip the water bottle, it would update their 'GearCode' which, when the round starts, will read the value, and give the player the item which the ID corresponds to.

BUT THEN, if I have FE on, will the client be able to change anything under their player instance?

Since FE just stops the client making changes to the server.

Enjoying your stay at the Scripters Forum? Join this! http://www.roblox.com/My/Groups.aspx?gid=2582784
Report Abuse
nQqzRYVpIKA5jLP is not online. nQqzRYVpIKA5jLP
Joined: 05 Mar 2015
Total Posts: 4135
19 May 2015 02:09 PM
Like I said, not unless someone found a way around FilteringEnabled.
Report Abuse
digpoe is not online. digpoe
Joined: 02 Nov 2008
Total Posts: 9092
19 May 2015 02:09 PM
FE is perrfectly secure as long as you don't allow the client to directly alter values

e.g. if you had a remote event to award points:

RemoteEvent:FireServer("AddPoints", 1)


the client can just request that to add as many points as they like. however, if you alter it a bit it's fine:

-- assuming this is a gun:
RemoteEvent:FireServer("ShootTarget", foundTarget)
-- 'foundTarget' is the character of a player which you shot

now, in the server script:

RemoteEvent.OnServerEvent:connect(function(client, msg, target)
if msg == "ShootTarget" then
if target and target:IsA("Model") then
local dist = client:DistanceFromCharacter(target:GetModelCFrame())
if dist < max_distance then -- prevent players from shooting people halfway across the map when it's impossible to do so
target.Humanoid:TakeDamage(10)
if target.Health < 1 then
AwardPoints(client, 1)
end
end
end
end
end)


That's perfectly secure. It won't error at all (unless your client was doing something weird and then 'client' became nil for some reason but that's unlikely)
Report Abuse
nQqzRYVpIKA5jLP is not online. nQqzRYVpIKA5jLP
Joined: 05 Mar 2015
Total Posts: 4135
19 May 2015 02:12 PM
That still isn't safe since the client could pass anything as the target. You should just do the raycasting on the server. Also, why do people always try to put everything in one RemoteEvent rather than just creating multiple RemoteEvents? Putting everything in a single RemoteEvent is pretty stupid, IMO.
Report Abuse
powerhotmail123 is not online. powerhotmail123
Joined: 11 Apr 2011
Total Posts: 5041
19 May 2015 02:33 PM
@Dig

Thanks, I'm going to use that for the shop-system I have.

@NQ

Are you sure?

Like this.

game.Players.PlayerAdded:connect(function(plr)
Instance.new("IntValue", plr)
end)

1. If FilteringEnabled is on, then would the actual hacker be able to change it?

2. If FilteringEnabled is off, then what would happen after?

Enjoying your stay at the Scripters Forum? Join this! http://www.roblox.com/My/Groups.aspx?gid=2582784
Report Abuse
nQqzRYVpIKA5jLP is not online. nQqzRYVpIKA5jLP
Joined: 05 Mar 2015
Total Posts: 4135
19 May 2015 02:39 PM
I said that the code that dig posted, which allows any client to tell the server to damage any player within a certain range of them, isn't safe.

Stats inside the player instance are safe granted the player doesn't know a way around FilteringEnabled, which is unlikely.
Report Abuse
buildersteven4 is not online. buildersteven4
Joined: 08 May 2009
Total Posts: 1325
19 May 2015 02:39 PM
Just think for every ":FireServer": can a cheating player send a lie to his advantage?
Report Abuse
powerhotmail123 is not online. powerhotmail123
Joined: 11 Apr 2011
Total Posts: 5041
19 May 2015 02:40 PM
Wait, but why is it safe then?

Since the client has it accessible. Couldn't they just change it by game.Players.LocalPlayer.IntValue.Value = 1337 or something?

Enjoying your stay at the Scripters Forum? Join this! http://www.roblox.com/My/Groups.aspx?gid=2582784
Report Abuse
nQqzRYVpIKA5jLP is not online. nQqzRYVpIKA5jLP
Joined: 05 Mar 2015
Total Posts: 4135
19 May 2015 02:41 PM
The golden rule, at least in the server-client model, is: Never trust the client. You should always verify any input the client sends to you to make sure it isn't malformed(especially in web programming), and you should always remember that any input from the client could be a lie.
Report Abuse
nQqzRYVpIKA5jLP is not online. nQqzRYVpIKA5jLP
Joined: 05 Mar 2015
Total Posts: 4135
19 May 2015 02:42 PM
It's safe because with FilteringEnabled the client can't change the value.
Report Abuse
powerhotmail123 is not online. powerhotmail123
Joined: 11 Apr 2011
Total Posts: 5041
19 May 2015 02:42 PM
So it would be best to save it in a table using Datastores? The actual code value itself.

Enjoying your stay at the Scripters Forum? Join this! http://www.roblox.com/My/Groups.aspx?gid=2582784
Report Abuse
powerhotmail123 is not online. powerhotmail123
Joined: 11 Apr 2011
Total Posts: 5041
19 May 2015 02:43 PM
Stop ninja'ing me... :P

I thought FE just stops changes the client makes to the SERVER, not the CLIENT.

Enjoying your stay at the Scripters Forum? Join this! http://www.roblox.com/My/Groups.aspx?gid=2582784
Report Abuse
buildersteven4 is not online. buildersteven4
Joined: 08 May 2009
Total Posts: 1325
19 May 2015 02:43 PM
He can change it. But the server will just ignore that so i wouldn't matter.
Report Abuse
nQqzRYVpIKA5jLP is not online. nQqzRYVpIKA5jLP
Joined: 05 Mar 2015
Total Posts: 4135
19 May 2015 02:47 PM
You're correct, FE stops changes on the client from replicating to the server, it doesn't stop changes on the client itself.
Report Abuse
powerhotmail123 is not online. powerhotmail123
Joined: 11 Apr 2011
Total Posts: 5041
19 May 2015 02:48 PM
Well for the code it is different. I do save it with datastores. But the problem is, if they can change the code to something else, they can just get any ability they want. Here's an example:

Before a round starts, they change their code under their 'player' instance. Let's say they change it to 122 (umm, a doge ability? I'm making it up).
When they go into the round, and they be the police or something, whenever they shoot their gun, the script checks whatever code they have, and does whatever the code makes it do. For this instance, it makes the player you shoot get a doge skin. So they could just change the value to anything they want.


Enjoying your stay at the Scripters Forum? Join this! http://www.roblox.com/My/Groups.aspx?gid=2582784
Report Abuse
nQqzRYVpIKA5jLP is not online. nQqzRYVpIKA5jLP
Joined: 05 Mar 2015
Total Posts: 4135
19 May 2015 02:50 PM
But the code that checks the code is on the server, right? And since the client can't affect the code, at least not the code on the server, it is still safe.
Report Abuse
powerhotmail123 is not online. powerhotmail123
Joined: 11 Apr 2011
Total Posts: 5041
19 May 2015 02:54 PM
It checks it server-sided. But I don't save the codes on the server. So the server just reads it from the player. Which could lead to a potential security risk.

Enjoying your stay at the Scripters Forum? Join this! http://www.roblox.com/My/Groups.aspx?gid=2582784
Report Abuse
Previous Thread :: Next Thread 
Page 1 of 1
 
 
ROBLOX Forum » Game Creation and Development » Scripters
   
 
   
  • About Us
  • Jobs
  • Blog
  • Parents
  • Help
  • Terms
  • Privacy

©2017 Roblox Corporation. Roblox, the Roblox logo, Robux, Bloxy, and Powering Imagination are among our registered and unregistered trademarks in the U.S. and other countries.



Progress
Starting Roblox...
Connecting to Players...
R R

Roblox is now loading. Get ready to play!

R R

You're moments away from getting into the game!

Click here for help

Check Remember my choice and click Launch Application in the dialog box above to join games faster in the future!

Gameplay sponsored by:
Loading 0% - Starting game...
Get more with Builders Club! Join Builders Club
Choose Your Avatar
I have an account
generic image