Max net security

Alright so i’m working on a project (like a lottery) for a simple yet fun and useful FREE release here on facepunch… Now i need help with making sure that there are no exploits… How would one do this because i have to call a net message on client and i know that’s not safe… So how could i go about making this safe

Just give as little power to the player.
Don’t let him specify the player, entity or amount of anything - and if he does, check for malicious behaviour like:

  • negative integers sent
  • player sent being different from the one who sent the message (altho you shouldn’t send player at all)
  • checking if entity player sent is within range of use (the range is about 128 to 172) or anything that will make sure he didn’t sed entity in a malicious way.

i gotta somehow get “answers” and “numbers” over to server…

Basically a player types !lottery and this function is ran…



function SendLotteryTicket(ply)
	local num1 = math.random(1, 10)
	local num2 = math.random(1, 10)
	local num3 = math.random(1, 10)

	local answer1 = math.random(1,10)
	local answer2 = math.random(1,10)
	local answer3 = math.random(1,10)
	
	net.Start("LMMLOpenTicket")
		net.WriteFloat(num1)
		net.WriteFloat(num2)
		net.WriteFloat(num3)
		net.WriteFloat(answer1)
		net.WriteFloat(answer2)
		net.WriteFloat(answer3)
	net.Send(ply)
	
end


then on client they press a button saying get rewards and i need to somehow send that data back… I dont wanna do this:




net.Start("BlahBlahYouGetIt")
net.WriteFloat(num)
ect..
net.SendToServer()



because they can just change it

So what - they change it, you compare serverside values with what they sent and if they don’t match - ban the player lol.

Ah i got it! Thanks!

No. You compare serverside values, and if the don’t match you fail - silently or displaying some warning.
You as an addon do not decide who the server bans.

I was just kidding.
It’s obvious that sometimes bugs might occur, like someone having the menu open during the time lottery numbers change, then the user hits ‘Send’ with old values in it.

I don’t think he got the joke.

Just remember the golden rule, never ever trust the client. In every networking situation just pretend as if the client is trying to exploit the system no matter what. Say you had a gun shop and you would send the gun and the price to the server, all you need for the system to be bulletproof then is to have a shared table with the weapon values, give each shop item an ID, and only let the client send the ID, not the details themselves. That way they have no way to inflict with what they pay for or how much they pay for it, therefore keeping it bulletproof. Just always pretend like someone is trying to exploit the system, and you should pretty much be fine following you can understand common sense in programming.

And don’t net receive inside a function like the way you do:

Lol, that’s just going to ban legit people who open it at the same time.

hmm, just an idea, instead of sending the player the lottery numbers when they type !lottery, why not instead send a request to the server that the player wants to play the lottery?
Then calculate everything serverside and whether the player won or not, then just send the final results to the player

Well I see what you mean (and this is already released btw) but I wanted the players to see there numbers before they get the results ya know

You can always fake it!

  1. Calculate the result serverside
  2. Only send the numbers to the player
  3. When player presses a button (or after a certain time), then send the results over

That way players can’t tamper with it. But if it’s released I guess you already solved it :slight_smile: