Quote:
Originally Posted by MattKan
PHP Code:
function onActionServerSide(action) {
switch (action) {
case "DecRup":
player.rupees -= params[1];
break;
|
This in itself ruins the script. Not only does this allow you to set your own price via Cheat Engine or the like, but you could even set the price to a negative value in order to spawn money.
Quote:
PHP Code:
function Bomb_Button1.onAction() {
//Button "Purchase"
if (player.rupees >= 9) {
triggerserver("gui",this.name,"DecRup",10);
player.bombs += 10;
}else
player.chat = "Insufficient Funds";
}
|
Always do checks like this on serverside. A player could change the amount of darts to gain, the number of rupees to pay, or even negate the trigger entirely. The proper way to do it would be to send a trigger with a parameter "item" (which is either "bomb" or "arrow"), and only add the bombs/arrows on serverside. This ensures that nothing can be tampered with. As a general rule, assume that any script you write on clientside can be changed by a hacker.
An example of how it should be done:
PHP Code:
function onActionServerSide(action, item) {
if (action == "purchase") {
if (! (item in {"bombs", "darts"})) {
return; // player sent a non-existing item
}
if (player.rupees < 10) {
return player.chat = "You need at least 10 rupees!";
}
player.rupees -= 10;
if (item == "bombs") {
player.bombs += 10;
} else if (item == "darts") {
player.darts += 20;
}
}
}
//#CLIENTSIDE
// all of the GUI stuff here
function Bomb_Button1.onAction() {
triggerServer("gui", this.name, "purchase", "darts");
}
function Bomb_Button2.onAction() {
triggerServer("gui", this.name, "purchase", "bombs");
}
edit: Tig and Cubical beat me to it, but this should help as well