View Full Version : Addressing Security inside NPC?

09-01-2017, 09:34 PM
How secure are attr[] values from a memory editor? I'm defining them serverside and using them to sync data between the server and client. I'm wondering if because of their nature, will a player running a trainer be able to redefine these values?

A stripped down version of my script:

// level NPC
function onCreated() {
this.attr[1] = ITEM;
// class NPC
function onActionCHECK() {

function onPlayerTouchsMe() {
// triggeraction CHECK

As you can see, IF this.attr[1] is accessible by a trainer then the player could inject code to give himself any item on the server.

09-02-2017, 03:51 PM
its pretty secure, you can't read client set attrs on serverside


function onCreated() {
this.attr[2] = "test";


function onActionServerSide(temp.cmd) {
switch(temp.cmd) {
case "testEcho";
echo(this.attr[3]); //wont echo anything
function onCreated() {
this.attr[3] = "test";
triggerserver("gui", this.name, "testEcho");

However you can read server set Attrs on Client

09-04-2017, 07:35 PM
If it's visible on the client than it can be edited in a memory editor.

The security Graal employs simply means secured variables are updated when changed on the server. You can still edit clientr.variables on the clientside but once the server updates the same flag it will push the new value back to the client and change it back. However changes to the client are not pushed to the server unless it's a variable that is synced(such as a client.variable).