new gamemode NWInt question

I am currently creating a gamemode and have a couple of questions about the use of NWInts and exploits with said NWInts.

The gamemode is going to have a rpg element to it (skills and leveling) what i want to know is if i set those likes this

[lua]function saveSkills ( ply )
unique_id = ply:SteamID()
Exper = ply:GetNWInt(“Exper”)
BonusHealth = ply:GetNWInt(“BonusHealth”)
ShotSpeed = ply:GetNWInt(“ShotSpeed”)
BonusAmmo = ply:GetNWInt(“BonusAmmo”)
DamageBonus = ply:GetNWInt(“DamageBonus”)
sql.Query(“UPDATE skills SET Exper = “…Exper…”, bh = “…BonusHealth…”, ss = “…ShotSpeed…”, ba = “…BonusAmmo…”, db = “…DamageBonus…” WHERE unique_id = '”…unique_id…"’")
ply:ChatPrint(“Stats updated !”)
end[/lua]

Will this open the client to be able to edit those NWInts client side and allow them to cheatengine there way to victory?
This is run server side
the only part of this that will be client side will be
ply:GetNWInt(“ShotSpeed”) and etcetera
I dont have the client side of this coded yet but the plan is to basically in the gui to level up have the current values displayed by calling ply:GetNWInt(“ShotSpeed”)

Is this the wrong way to do this? if so could you please point me in the right direction

Nwints resets everytime server restarts so you can’t use them for rpg skills try to use file.Create etc.

[lua]sql.Query(“UPDATE skills SET Exper = “…Exper…”, bh = “…BonusHealth…”, ss = “…ShotSpeed…”, ba = “…BonusAmmo…”, db = “…DamageBonus…” WHERE unique_id = '”…unique_id…"’")[/lua]

that is a SAVE function (just fyi) i know that bit works but are there ways AROUND this with clientside editing of the nwints

[editline]15th September 2015[/editline]

My only real question is, is this exploitable. and if so how SHOULD i do it

You don’t need to use NWInts–Just make a variable on each player with their stats which are set to the SQL value or a default value if the SQL values don’t exist.

If you use this method, it’s in your best interest to try to keep everything on the server.

What about displaying these values to the player

[editline]15th September 2015[/editline]

i think i get what you are saying, instead of using the NWint to determine what to save i should only pass the variable to the player with nwint and use variables to determine everything serverside

The wiki says if setting a neworked variable on client, it will only change on client. So I guess it’s only Server to Client, and so the client can’t manipulate it. http://wiki.garrysmod.com/page/Entity/SetNWInt

But I would use netmessages out of habit for such things anyway http://wiki.garrysmod.com/page/Net_Library_Usage

Edit: Ah btw, always escape your queries, even steamid, just to be really 100% sure! There are wrappers which escape automatically like pmysql https://github.com/aStonedPenguin/pMySQL

just read that, first bit myself

as for netmessages, dont they use more network traffic potentially causing lag with hundreds of variables flying around?

Garry said networked variables are better, but they aren’t necessarily faster, however they can be predicted and work in demos: http://forum.facepunch.com/showthread.php?t=1253834&p=39919712&viewfull=1#post39919712
However I would just recommend using the style you’re comfortable with.

Also please read my edit, as this is important:

How? im very new with databases

With this function: http://wiki.garrysmod.com/page/sql/SQLStr
On the mysql modules it’s often named :escape()

Basically you need to put it around every variable, which can be modified by the user. However sometimes it’s hard to decide if it’s really modifiable, like the steamid. That’s the reason why PHP developers used to escape everything (but now they use special prepared statements anyway).

So if you escape everything you’re safe, the escape function doesn’t take really any performance.

E.g



local test = 2 -- a variable created somewhere
sql.Query("UPDATE players SET info="..sql.SQLStr(test))


If you don’t do so, users will be able to use sql injection. https://en.wikipedia.org/wiki/SQL_injection