I have this on the server-side:
ReplicatedStorage.ChangeParam.OnServerEvent:Connect(function(player, param, new, folder, save) if folder == "leaderstats" then player.leaderstats:FindFirstChild(param).Value = new elseif folder == "data" then player.data:FindFirstChild(param).Value = new end if save then save_data(player) end end) -- Where save_data(player) saves the data.
and can be called in the client-side with:
ReplicatedStorage:WaitForChild("ChangeParam"):FireServer("has_done_intro", true, "data", true)
The thing is, a guy yesterday told me that this is very insecure against hackers and can be easily exploited. How can I make it more secure, and what's exploitable about it now?
Nothing on the client is ever "fully" secure. This isn't just a "ROBLOX thing," this is everything. The client is the local computer executing the code (your computer), and if you have access to that computer, anything is possible.
The secret isn't to secure the client, but to make sure that the server never trusts what the client sends to it. By "never trust," we mean don't code your game like this:
Client: fires remote Can I have 9000000 points please?
Server: Uhhhh SURE! Here you go!
Client: Thank you :)
Client: fires remote Can I have 9000000 points please?
Server: Hmm, that's a lot of points to award you all at once for seemingly no reason. Let me check to see if this is a legitimate request...
Server: Yeah I don't think I'm going to award you those points.
Client: Dang it... The creator of this game must know what they're doing...
Silly dialog aside, this is really how your game should function. Make sure the server that's receiving the data from a client checks to see if what the client is asking for is legitimate. You may not be able to make it a perfect fail-proof process, but it surely is better than nothing. If you do it right, you'll be happy with the results.
I hope this was able to provide more insight on this topic. If you have any other questions, just let me know.