Thread: GUI Help
View Single Post
  #2  
Old 03-30-2011, 06:07 PM
fowlplay4 fowlplay4 is offline
team canada
fowlplay4's Avatar
Join Date: Jul 2004
Location: Canada
Posts: 5,200
fowlplay4 has a reputation beyond reputefowlplay4 has a reputation beyond reputefowlplay4 has a reputation beyond reputefowlplay4 has a reputation beyond reputefowlplay4 has a reputation beyond reputefowlplay4 has a reputation beyond reputefowlplay4 has a reputation beyond reputefowlplay4 has a reputation beyond reputefowlplay4 has a reputation beyond reputefowlplay4 has a reputation beyond reputefowlplay4 has a reputation beyond repute
Quote:
Originally Posted by kingcj View Post
Ok so don't use params[1] because onActionServerside() references the player that used it, and it's a security risk? Thanks for the help!
If you're just changing your own player's data, you don't need to pass their account to the server because your player object is accessible.

Scenario: Changing your own player's chat. (Ignore the fact that you can do it on the client-side...)

BAD:

PHP Code:
function onActionServerside() {
  // Potentially allowing hackers to make people laugh uncontrollably.
  with (findplayer(params[1])) {
    player.chat "haha";
  }
}
//#CLIENTSIDE
function onCreated() {
  // A hacker could change the player.account variable that's being sent.
  triggerserver("gui"this.name"example"player.account); 

GOOD:

PHP Code:
function onActionServerside() {
  player.chat "haha";
}
//#CLIENTSIDE
function onCreated() {
  triggerserver("gui"this.name"example");

__________________
Quote:
Reply With Quote