Aproaching Character Saving

Godot Version

4.2

Question

Hello, so i’ve been working on a topdown 2D multiplayer RPG game, i’m trying to make a menu for it but i don’t know how i can aproach it

so my problem is that i have a character selection screen, the goal is to have the user being able to create a new character and save it into a itemlist

so at first it’s empty, then when pressing the new character button we go to a character creator, then after we’re done with the characreator by pressing the save button we’re back on the charaselector and we see our pony on the list, after that we can select a character on the list and select a server to connect in.

i’m a bit confused if i should keep using a resource or if i should use a JSON file as i’ve heard the resource file can be used by hackers to run malicious code, laso the resource file just hold value like the colors and apearance stuff right now.

If someone knows a good tutorial or project example i could use to see how it’s made i take it.

Thanks for reading

1 Like

Don’t have an answer, but am very curious about this too.

I’ve read about the possible code-injection exploit of .tres files, not sure if that also applies to .res, so would love hear more about that.
For my type of game, a JSON isn’t as practical as I need to save nested resources and some types that are usually not supported by JSON.

I’ve also encountered this asset that apparently avoids those kinda risks, but I haven’t tried it yet: Godot Safe Resource Loader

1 Like

Anything you get from a remote computer can, potentially, be a problem. Even if it is just malformed data and not malicious, it can crash a game without adequate guarding. The problem comes from assuming the data will be safe because it comes form your own unmodified game and then loading it without checking. JSON is easier to check than a tres file just because it is usually less complex data, while a tres file has more boilerplate.
If what you want to send over is a sprite atlas, send only the sprite image data and interpret it only as image data, that way the worse case is someone sends a dick instead of a pony.
If you also want to avoid that, send only the data of the components and reconstruct the avatar locally, do not send over things that may get executed. Send only strings and numbers, sanitize them before converting them to objects, and then if that doesn’t fail, rebuild the object.

2 Likes

like mentioned above.

Its very similar case in Java serializing objects (or even Records that need checks in constructor). Tho there are filters for this at least.

Here in godot you would need own filter code to protect it, and still you would be not sure if you protected data well.

JSON or any other text format that you parse is safe, but its still up to you how you process it. For example if you process JSON text to “get remove file path” it will still be “unsafe” ofc.

1 Like

i did find this tutorial https://youtu.be/43BZsLZheA4 by the way it’s very well explained and he is also the creator of the saferesourcelaoder plugin and he explain why and how to use it

1 Like