Quote:
Originally Posted by kingcj
Ok so don't use params[1] because onActionServerside() references the player that used it, and it's a security risk? Thanks for the help!
|
If you're just changing your own player's data, you don't need to pass their account to the server because your player object is accessible.
Scenario: Changing your own player's chat. (Ignore the fact that you can do it on the client-side...)
BAD:
PHP Code:
function onActionServerside() {
// Potentially allowing hackers to make people laugh uncontrollably.
with (findplayer(params[1])) {
player.chat = "haha";
}
}
//#CLIENTSIDE
function onCreated() {
// A hacker could change the player.account variable that's being sent.
triggerserver("gui", this.name, "example", player.account);
}
GOOD:
PHP Code:
function onActionServerside() {
player.chat = "haha";
}
//#CLIENTSIDE
function onCreated() {
triggerserver("gui", this.name, "example");
}
03-30-2011, 05:52 PM
Hybrid Mode
