Arrow buying

[cbk1994]

Quote:

Originally Posted by MattKan

PHP Code:

function onActionServerSide(action) {
  switch (action) {
    case "DecRup":
      player.rupees -= params[1];
    break; 


This in itself ruins the script. Not only does this allow you to set your own price via Cheat Engine or the like, but you could even set the price to a negative value in order to spawn money.

Quote:

PHP Code:

function Bomb_Button1.onAction() {
  //Button "Purchase"
 if (player.rupees >= 9) {
   triggerserver("gui",this.name,"DecRup",10);
   player.bombs += 10;
  }else
    player.chat = "Insufficient Funds";
} 


Always do checks like this on serverside. A player could change the amount of darts to gain, the number of rupees to pay, or even negate the trigger entirely. The proper way to do it would be to send a trigger with a parameter "item" (which is either "bomb" or "arrow"), and only add the bombs/arrows on serverside. This ensures that nothing can be tampered with. As a general rule, assume that any script you write on clientside can be changed by a hacker.

An example of how it should be done:

PHP Code:

function onActionServerSide(action, item) { 
  if (action == "purchase") {
    if (! (item in {"bombs", "darts"})) {
      return; // player sent a non-existing item
    }
    
    if (player.rupees < 10) {
      return player.chat = "You need at least 10 rupees!";
    }
    
    player.rupees -= 10;
    
    if (item == "bombs") {
      player.bombs += 10;
    } else if (item == "darts") {
      player.darts += 20;
    }
  }
} 

//#CLIENTSIDE 
// all of the GUI stuff here

function Bomb_Button1.onAction() { 
  triggerServer("gui", this.name, "purchase", "darts");
} 

function Bomb_Button2.onAction() { 
  triggerServer("gui", this.name, "purchase", "bombs");
} 


edit: Tig and Cubical beat me to it, but this should help as well

[Cubical]

Quote:

Originally Posted by Tigairius

I would check both clientside and serverside. That way if they aren't hacking, it won't send a needless trigger to the server.

I need to start doing that.

[WhiteDragon]

Quote:

Originally Posted by Tigairius

I would check both clientside and serverside. That way if they aren't hacking, it won't send a needless trigger to the server.

Unfortunately this results in code duplication, which makes going back and editing things annoying (twice the work, and you better not forget one of the checks). I usually only add in the extra clientside check if it's something that's going to be triggering extremely frequently. Of course this is a matter of preference but this is what I've found to be a nice balance.

The code duplication issue is sadly a hard problem to solve, even outside of Graal, and I haven't really seen a solution I've liked anywhere to port it, so I guess we'll just have deal with it for now in the critical areas.

[Tigairius]

Quote:

Originally Posted by WhiteDragon

Unfortunately this results in code duplication, which makes going back and editing things annoying (twice the work, and you better not forget one of the checks). I usually only add in the extra clientside check if it's something that's going to be triggering extremely frequently. Of course this is a matter of preference but this is what I've found to be a nice balance.

The code duplication issue is sadly a hard problem to solve, even outside of Graal, and I haven't really seen a solution I've liked anywhere to port it, so I guess we'll just have deal with it for now in the critical areas.

I usually use a this.attr[#] serverside to store the price which can be read clientside. Then if price is edited serverside, it applies clientside as well. Basically no code duplication involved?

[fowlplay4]

Quote:

Originally Posted by Tigairius

I usually use a this.attr[#] serverside to store the price which can be read clientside. Then if price is edited serverside, it applies clientside as well. Basically no code duplication involved?

You'll still have duplication (two of the same if statements) even though it's still only one extra line and not really much of a problem since you have the value synced on both.

[WhiteDragon]

Quote:

Originally Posted by Tigairius

I usually use a this.attr[#] serverside to store the price which can be read clientside. Then if price is edited serverside, it applies clientside as well. Basically no code duplication involved?

This only works for values. If your logic is complex enough to require a function, you will have to duplicate it since there is no way to pass a function as data (like you can with a value) from the client<->server (and it'd certainly be impossible to find a way to serialize a function with GS2).