Hi guys. I pretty new in lua scripting, and after long pause i wish to complete my mod. But i need some help. How i should organize my scripts? Server to client, client to server? Is they hackable by clients?
For example:
i want to create economy add-on. Should i make check transactions on client or on server? Can user load self made script with ‘Trigger(Server)Event’ and make self rich?
For another example, if i create market add-on that using my economy mod, should i create serversided scripts for market with transactions checking?
- Market (client) sends Event with ‘witdrawMoney’ to serversided economy script
- economy checks if all right
- economy sends result to market-server
- market (server) send to market-client some ‘you have new item’
- economy sends to client ‘moneyUpdateHud’
Is there right way of scripting in fivem?
or i should do:
- market-client send to economy-client value to witdraw and item id
- economy check if money available (greater than value) and sends back ‘item #id bought for 1$’
- market-client send to market-server ‘o-oh, new item there, please save to mysql’
- economy-server doing same thing with money values
Which way is right? Serversided checks or i can clientside they?
Btw too many events can be sended from server to client and client to server for only money check and buying item. I Think it’s bad practice (too many actions on similar things), but also bad practice when all doing clientsided. For answers i came here. Please help =)
Sorry if i said something wrong, my bad. (English, scripting)
A few tips:
- Don’t trust what ever data comes from the client (i.e. a transaction saying x receives 100m).
- Be aware of
TriggerServerEvent and TriggerEvent, this can be called by anyone at anytime with any arguments. Especially dangerous is the server varient, that can really screw over your server.
- Use something like AntiCheese AntiCheat to prevent usage of destructive hacks that ruin servers. Also I would recommend PlayerTrust plugin, prevent people using throw away accounts
- Use Resource Scrambler, so people cannot easily invoke server events.
- Use common sense really.
Definitly, this is needs to be handled by the server. The thing is that you cannot trust the client, so make sure to check if player has the funds, get removed from his bank account and the receiver is existant.
Probably more things to check to prevent wonky/invalid/cheated transactions.
Of course they can, but be smart how you implement that on the server. Just don’t blindy assume what being sent to you (server) and do proper sanity checks.
I’d say try making a script trying to exploit it your self (just use a client side resource).
Heck, you could even use some kind of checksum hash to assure the transaction isn’t tampered with.
Anything that should not be tampered with, put on the server side. The only thing I see on the client, is updating the HUD of bank/cash balance, the rest should be calls to the server.
Find a good balance, ideally you want anything that can be abused on the server side of things. Having 5-10 more calls to the server is better than one call to the server and everything can be abused 
3 Likes
Thanks a lot! It will move me from dead end.