Data libraries for a future online set up

Hello, my name is Álvaro. Thanks for read me.

I'm learning Unity since 2 years ago. I'm making a simple RPG game and I hope to set-up to online gameplay in the future. I don't have enough familiarity with online set-up and I understand that it can be so hard... but:

I'm making libraries and random info like objects that you can loot from different boxes in game. Or NPCs loot and something like that. My question is: what I must to know about "un-hackeable" and saving data files for my game? I don't want make the online set-up tonight but I think that I must know how is the best way for make an useful game for my future needs. Can you recommend me manuals, info, examples or videos for understand how i must work right now?

Really thank you so much.
EDIT: Only I want to say that my game is developing so so nice for me, your information will help me for work healthy and self confident today and in the future!

 

There is no such thing as "un-hackable". There are only means of reducing risk. There is also no way to save data on the player's computer without it being at risk of manipulation. There are only ways to make it a bit more difficult to manipulate.

In general, in a multiplayer game it is best to trust as little input from the clients as possible, to check any input from the clients for validity whenever you can, and to run as much of the simulation on the server as your game will allow. This reduces the possible ways a hacker could potentially cheat in your game.

For example, say you have a game where the player shoots at another player. If the player doing the shooting also determines if the shot was successful and then passes the result to the server, that opens you up to hacking that part of the game. A hacker could just change every one of their shots to always a successful hit. Better would be to have player send a message to the server saying that it wants to shoot the other player, and have the server calculate whether it hits or misses, then tell both players the result.

In that same example, you probably will have some rate limit on how fast a player can fire their weapon. While you could track that on the client, you also need to track that on the server as well. On the server you then need to drop shooting requests which are faster than allowed. If you only implemented the fire rate limit on the client, a hacker could just send a flood of shoot requests to the server, turning their bow and arrow into a machine gun whenever they want.

Basically all input like that needs verification on the server.

As for saving data, if you save on the player's computer you need to accept that some players will figure out how to edit the saves. You could do things like save in a binary format, implement verification like an md5 sum of the data, or various types of local encryption, but all the code to open the save file is right there on the player's computer waiting for someone skilled enough to figure it out and post it on some public forum for all the novices to jump on.

Take the original Diablo for example. A multiplayer RPG that saved your character data locally. It didn't take long for someone to figure out how to manipulate the character save file and just add near infinite gold or other items. A system where character data is saved by you on some central server would be more difficult to manipulate, but still needs to pay attention to that same input verification stuff as mentioned above, otherwise hackers will attempt to manipulate how their character is saved.

Lastly, in addition to verifying input you also need to be concerned about not sending the player too much data. Look at the problems PUBG is having right now. Core to the game is keeping yourself from being seen by other players, yet the game is plagued by "radar hacks" right now, because the server sends the player the locations of all surrounding players whether they should be aware of them or not. This basically is breaking the game for all the non-cheaters, and it is all because the game is sending too much data to the clients.

 

@Joe-Censored Really thank you. A lot. I didn't have information about that and I think your reply with examples could be impossible to find by myself. I'm going to work in it and read more about.

Peace and thanks a lot!