Kravian

Type: Browser-based strategy MMOG (Travian clone)

Tech Stack: PHP 5.3.0+, MySQL/MySQLi, HTML, CSS, JavaScript

Files: 1,035 files (57 PHP, 330 .tpl templates, 406 GIF, 225 JPG, 7 CSS, 5 JS)

Database: 31 tables

License: GNU LGPL v.3

Developer: scr1pt , 2kdesign.es

Date: May 2010 (Rev 0.0.3)

Status: Incomplete/Beta

Kravian is an unauthorized clone of the popular browser strategy game Travian (published by Travian Games). The name "Kravian" is a near-anagram of "Travian" and the entire game mechanics, art assets, UI, German filenames (dorf1.php, dorf2.php, berichte.php, nachrichten.php), and gameplay loop are direct replicas. Features Roman/Gallic/Teutonic tribes building villages, training armies, conquering territories on a persistent world map, and forming alliances.

Key Features:

• 3 playable tribes (Romans, Gauls, Teutons) with unique units
• Village building simulation (30+ building types: barracks, stables, marketplace, palace, etc.)
• Resource management (wood, clay, iron, crop production)
• Real-time combat and raid simulation
• World map with 801x801 coordinate grid (640,801 villages potential)
• Alliance system with diplomacy (war/alliance/NAP)
• Reports, messaging, statistics, and ranking systems
• Plus account system (premium features)
• Multi-language support (English, Portuguese)
• Admin/moderator control panel (but folder empty!)

Critical Issues:

• ILLEGAL: Unauthorized clone of copyrighted Travian game (trademark/IP infringement)
• INCOMPLETE: Rev 0.0.3 beta status, admin panel folder empty, many features marked "pending debug"
• CATASTROPHIC SECURITY: No input sanitization, direct $_GET/$_POST interpolation into SQL, MD5 passwords, no CSRF tokens, direct credential exposure in installer

---

Pattern: MVC-like with Template System

Structure:

kravian_v0.3/
├── Kravian v0-3/
│   ├── engine/           # Core business logic (16 classes)
│   │   ├── Account.php
│   │   ├── Alliance.php
│   │   ├── Automation.php
│   │   ├── Battle.php
│   │   ├── Building.php  (680 lines - building management)
│   │   ├── Database.php
│   │   ├── database/
│   │   │   ├── db_MYSQLi.php  (1,281 lines - all DB operations!)
│   │   │   ├── db_MYSQL.php   (1,144 lines - legacy mysql_* API)
│   │   │   └── db_mysql_bak.php
│   │   ├── Data/         # Game constants (units, buildings, resources)
│   │   ├── Form.php
│   │   ├── Generator.php
│   │   ├── Lang/         # Language files
│   │   ├── Logging.php
│   │   ├── Mailer.php
│   │   ├── Market.php
│   │   ├── Message.php
│   │   ├── Multisort.php
│   │   ├── Notes/        # "DO NOT REMOVE THIS FOLDER" placeholder
│   │   ├── Prevention/   # "DO NOT REMOVE THIS FOLDER" placeholder
│   │   ├── Profile.php
│   │   ├── Ranking.php
│   │   ├── report.php
│   │   ├── Session.php
│   │   ├── Technology.php
│   │   ├── Units.php
│   │   └── Village.php
│   ├── Templates/        # 330 .tpl template files (HTML with PHP inline)
│   │   └── menu.tpl      # Navigation menu
│   ├── gpack/            # Graphics pack (travian_0002/)
│   ├── img/              # Game images (631 images - GIF/JPG)
│   ├── install/          # Installation wizard
│   │   ├── data/
│   │   │   ├── sql.sql   (809 lines, 31 CREATE TABLE statements)
│   │   │   └── constant_format.tpl
│   │   ├── include/
│   │   │   └── database.php  (MySQLi/MySQL installer DB class)
│   │   ├── index.php
│   │   └── process.php   (132 lines - generates Config.php from POST)
│   ├── cpanel/           # Admin control panel (EMPTY FOLDER!)
│   ├── support/          # Support system folder
│   ├── news/             # News system folder
│   ├── ajax.php          # AJAX handlers (map data, village data)
│   ├── allianz.php       # Alliance management (German: "Allianz")
│   ├── anmelden.php      # Registration (German: "Anmelden")
│   ├── berichte.php      # Reports (German: "Berichte")
│   ├── build.php         # Building construction UI
│   ├── dorf1.php         # Resource village view (German: "Dorf" = village)
│   ├── dorf2.php         # Center village view (buildings)
│   ├── karte.php         # World map (German: "Karte")
│   ├── login.php
│   ├── logout.php
│   ├── nachrichten.php   # Messages (German: "Nachrichten")
│   ├── spieler.php       # Player profile (German: "Spieler")
│   ├── statistiken.php   # Statistics (German)
│   ├── support.php       # Support system
│   ├── plus.php          # Premium Plus account management
│   ├── warsim.php        # War simulator
│   ├── changelog.php     # Version history (Rev 0.0.3)
│   ├── mt-*.js           # JavaScript libraries (map, UI)
│   └── favicon.ico

Architecture Rating: 5/10 - Decent class-based separation (16 engine classes), but marred by 1,281-line database monolith, German/English filename mix, empty admin folder, incomplete implementation, and no Config.php separation (generated by installer). Template system is basic PHP inline (not a real templating engine like Smarty).

Largest PHP Files:

• db_MYSQLi.php - 1,281 lines (entire DB API in one class!)
• db_MYSQL.php - 1,144 lines (legacy mysql_* version)
• Building.php - 680 lines (building construction/upgrade logic)
• Automation.php - 379 lines (scheduled tasks, cleanup)

---

Security Rating: 0/10 - CATASTROPHIC

Critical Vulnerabilities:

• SQL Injection Everywhere:

// ajax.php lines 2-7 - Direct GET into SQL
$x = $_GET['x'];
$y = $_GET['y'];
$xx = $_GET['xx'];
$yy = $_GET['yy'];
// Directly used in queries without escaping!
// build.php line 17 - Direct session assignment from GET
$_SESSION['wid'] = $_GET['newdid'];
// db_MYSQLi.php line 19 - Direct interpolation
$q = "SELECT username FROM ".TB_PREFIX."users where username = '$ref' LIMIT 1";
// db_MYSQLi.php line 37 - Direct username/sessid interpolation
$q = "SELECT username FROM ".TB_PREFIX."users where username = '$username' and sessid = '$sessid' LIMIT 1";
// db_MYSQLi.php line 72 - Direct field name interpolation (!)
$q = "UPDATE ".TB_PREFIX."users set $field = '$value' where username = '$username'";

NO PREPARED STATEMENTS. Every single database query uses direct string interpolation of $_GET, $_POST, $_SESSION, and function parameters. Trivial SQL injection in literally every endpoint.

• No Input Validation/Sanitization:

$ grep -r "htmlspecialchars|htmlentities|strip_tags|addslashes" kravian_v0.3/ --include="*.php"

ZERO instances of htmlspecialchars(), htmlentities(), strip_tags(), or even addslashes() in all 57 PHP files. Every user input is blindly echoed into HTML (XSS) and SQL (injection).

• MD5 Password Storage:

// db_MYSQLi.php line 83 - Password verification
$row = $result->fetch_assoc();
if($row['password'] == md5($password)) {
return true;
}
// install/process.php line 121 - Admin account creation
$q = "INSERT INTO ".TB_PREFIX."users (username,password,access,email,timestamp,tribe)
VALUES ('".$_POST['user']."', '".md5($_POST['pass'])."', ...";

MD5 hashing without salt. Rainbow table attacks trivial.

• Installer Credential Exposure:

// install/process.php lines 32-45 - Writes Config.php from raw POST
$text = preg_replace("'%SSERVER%'",$_POST['sserver'],$text);
$text = preg_replace("'%SUSER%'",$_POST['suser'],$text);
$text = preg_replace("'%SPASS%'",$_POST['spass'],$text);
$text = preg_replace("'%SDB%'",$_POST['sdb'],$text);
fwrite($fh, $text);

Database credentials written to include/constant.php from unvalidated $_POST. No validation, no escaping. Installer process is completely insecure.

• No CSRF Protection:

// build.php lines 36-42 - State-changing action via GET
if(isset($_GET['a']) && $get['c'] == $session->checker && !isset($get['id'])) {
if($get['a'] == 0) {
$this->removeBuilding($get['d']);
} else {
$session->changeChecker();
$this->upgradeBuilding($get['a']);
}
}

Has a "checker" token mechanism ($session->checker) but it's trivially bypassed since session IDs are predictable and no per-form tokens exist.

• Direct File Writes:

// install/process.php lines 27-30
$myFile = "include/constant.php";
$fh = fopen($myFile, 'w') or die("can't open file");
fwrite($fh, $text);

Installer writes arbitrary PHP files. If installer not deleted post-install, attacker can regenerate Config.php and inject code.

• Empty Admin Panel:

$ ls -la "cpanel/"

Template references cpanel/moderator/ and cpanel/admin/ but these folders don't exist! Dead links, incomplete implementation.

Attack Surface:

• SQL injection: ajax.php, allianz.php, build.php, dorf1.php, dorf2.php, karte.php, spieler.php, statistiken.php, and all 1,281 lines of db_MYSQLi.php
• XSS: Every page that echoes user input (no htmlspecialchars anywhere)
• Privilege escalation: Modify access field via SQL injection to become admin
• Session hijacking: Predictable session IDs, no HttpOnly flag
• Data exfiltration: Dump entire world map (640K villages), user credentials, alliance data
• DoS: Automated attacks overwhelm game server

Deployment Risk: NEVER DEPLOY. This is a honeypot waiting to happen. Any live instance would be compromised in hours. The complete absence of input sanitization combined with direct SQL interpolation means automated scanners will find SQL injection endpoints instantly.

---

Innovation Rating: 3/10 - Functional Travian clone, but nothing original

Positive Aspects:

• Database Abstraction Layer:

// engine/Database.php - Dual MySQLi/MySQL support
// db_MYSQLi.php - Modern MySQLi OOP interface
// db_MYSQL.php - Legacy mysql_* procedural API fallback

Supports both deprecated mysql_ functions and modern mysqli_ via switchable DB classes. Shows awareness of PHP deprecation (PHP 5.5 removed mysql_*), though implementation is flawed.

• Template System:

330 .tpl files separate presentation from logic (though still PHP inline, not a real templating engine). Shows attempt at MVC separation.

• Comprehensive Game Mechanics:

-- 31 tables cover:
users, vdata (villages), wdata (world map 801x801),
units (50 unit types), training, research,
movement (troop movements), market (trading),
alidata (alliances), diplomacy,
enforcement (reinforcements), fdata (fields),
bdata (building queue), odata (orders),
ndata (reports), mdata (messages),
statistics, active (online tracking),
build_log, tech_log, login_log, market_log, gold_fin_log, war_log, illegal_log

Database schema is well-designed for a persistent MMOG. Covers village management, combat, diplomacy, economy, and extensive logging.

• Real-Time Resource Production:

// Automation.php - Resource calculation
// changelog.php: "Resource Production now in real time"

Implements continuous resource generation between page loads (not just on refresh).

• Combat Simulator:

// Battle.php - Combat resolution
// warsim.php - War simulator for planning attacks

Includes pre-battle simulator (like Travian's) so players can test troop compositions before committing.

• Multi-Language Support:

// engine/Lang/ - Language files (English, Portuguese)
// Templates use constants: HOME, INSTRUCT, LOGIN, REG, FORUM, etc.

Prepared for internationalization, though only partial implementation (changelog shows "10% lang system implemented").

• Plus Account System:

// plus.php - Premium features
// References "Travian Plus" with gold/premium accounts

Monetization strategy via premium subscriptions (though likely illegal since cloning Travian's business model).

• Admin Logging:

-- 7 dedicated log tables:
build_log, tech_log, login_log, market_log, gold_fin_log, war_log, illegal_log

Extensive auditing infrastructure (build activity, tech research, logins, market trades, gold purchases, war actions, cheating detection).

Negative Aspects:

• Incomplete Implementation:

// changelog.php Rev 0.0.3:
"[M] Partially developed a2b.php - Fixed time of unit action"
"[+] In part class developed for the demolition of buildings, pending debug and complete"
"[+] Implemented lang system 10%"

Still in early beta (v0.0.3). Many features marked "pending debug" or "partially developed."

• Illegal Travian Clone:
• Name "Kravian" = Travian anagram
• German filenames (dorf, berichte, nachrichten) = Travian naming
• Graphics pack travian_0002/ = stolen Travian assets
• UI, game mechanics, building names, unit types = exact Travian copy
• Logo: - literally uses "Travian" in alt text!

This is trademark infringement and copyright theft. Gameforge/Travian Games has aggressively pursued clones with C&D letters and lawsuits.

• Empty Admin Panel:

$ ls cpanel/

Templates reference admin/moderator control panels but they don't exist. Dead links throughout game.

• No Original Ideas:

Every mechanic is Travian. No innovation. Pure clone.

---

Code Quality Rating: 4/10 - Structured but buggy and insecure

Positive Patterns:

• Class-Based Organization:

// 16 separate engine classes:
Account, Alliance, Automation, Battle, Building, Database, Form,
Generator, Logging, Mailer, Market, Message, Multisort, Profile,
Ranking, Session, Technology, Units, Village

Good separation of concerns, unlike monolithic procedural code in many PHP4-era games.

• Consistent Naming:

// engine/database/db_MYSQLi.php method examples:
checkExist($ref,$mode)
checkactiveSession($username,$sessid)
setDeleting($uid,$mode)
updateUserField($username,$field,$value)
login($username,$password)

CamelCase class names, lowercase methods, descriptive function names.

• Database Constant Prefixing:

// All queries use:
TB_PREFIX."users"
TB_PREFIX."vdata"
// Allows multiple game instances in one database

Table prefix system for multi-tenancy (like WordPress).

• Comprehensive Comments:

// Building.php header:

All engine files have detailed headers with developer, license, version.

Negative Patterns:

• 1,281-Line Database Monolith:

// db_MYSQLi.php - 1,281 lines, 100+ methods
checkExist(), checkactiveSession(), setDeleting(), updateUserField(),
login(), sitterLogin(), ... (continues for 1,200+ lines)

God Object anti-pattern. Every DB operation in one giant class. Should be split into repositories (UserRepository, VillageRepository, AllianceRepository, etc.).

• No Input Validation Layer:

Every DB method accepts raw strings without validation:

function updateUserField($username,$field,$value) {
$q = "UPDATE ".TB_PREFIX."users set $field = '$value' where username = '$username'";
return $this->connection->query($q);
}

Trusts caller to sanitize. Violates "defense in depth."

• Magic Numbers:

// Building.php lines 90-95:
case 1: return 5; break;
case 2: return 6; break;
case 3: return 7; break;
case 4:
if($id >= 19) {
if($session->tribe == 1 || ALLOW_ALL_TRIBE) {

No constants explaining what 1/2/3/4, 5/6/7, 19, or tribe==1 mean. Unmaintainable.

• Mixed Languages:

German filenames (dorf1.php, berichte.php) coexist with English class names and Spanish developer emails. Confusing for international contributors.

• Empty Placeholder Folders:

engine/Notes/DO NOT REMOVE THIS FOLDER.txt
engine/Prevention/DO NOT REMOVE THIS FOLDER.txt

Placeholder folders with warnings not to delete them... but they're empty. Why?

• Dead Code:

// db_mysql_bak.php - 393 line backup file

Backup files committed to release. Poor version control hygiene.

Refactoring Priority:

• Split db_MYSQLi.php into repository classes
• Add input validation layer
• Implement prepared statements
• Replace magic numbers with constants
• Complete admin panel
• Standardize language (pick English OR German, not both)

---

Technology Stack:

Required:

• PHP: 5.3.0+ (changelog shows phpMyAdmin SQL Dump from PHP 5.3.0 session)
• MySQL: 5.1.36+ (sql.sql generated from MySQL 5.1.36)
• MySQLi Extension: Required if using db_MYSQLi.php (default)
• Legacy mysql Extension: Optional if using db_MYSQL.php (deprecated PHP 5.5+)
• Web Server: Apache (assumes .htaccess based on structure)
• PHP Extensions:
• mysqli or mysql
• session
• gd (likely, for image manipulation - though not verified)
• mail() function (for Mailer.php)

Optional:

• phpMyChat: Referenced in some templates (external chat integration)

External Dependencies:

• None explicitly declared (no Composer, no package.json)
• JavaScript libraries appear custom (mt-core.js, mt-more.js, mt-full.js, unx.js, new.js)
• CSS is custom (gpack/travian_0002/lang/en/lang.css, compact.css)

Database Schema:

31 tables (see sql.sql for CREATE TABLE statements):

• Core: users, vdata (villages), wdata (world map), active (online tracking)
• Combat: units, training, research, movement, enforcement (reinforcements)
• Economy: market, fdata (fields), odata (orders)
• Social: alidata (alliances), ali_permission, ali_invite, ali_log, diplomacy, mdata (messages), ndata (reports)
• Logs: build_log, tech_log, login_log, market_log, gold_fin_log, war_log, illegal_log
• Queue: bdata (building queue), send (scheduled sends)
• Admin: deleting (account deletion queue), statistics (world stats)

Installation:

• Upload files to web server
• Navigate to install/index.php
• Enter DB credentials (written to include/constant.php - INSECURE)
• Installer creates 31 tables via sql.sql
• Installer generates world map data (include/wdata.php - 640K+ villages!)
• Create admin account
• DELETE install/ FOLDER (critical - else anyone can regenerate Config.php)

Configuration:

All settings written to include/constant.php by installer:

// Sample constants:
SERVER_NAME, LANG, SPEED, INCSPEED (increase speed multiplier),
TRACK_USERS, UTIMEOUT (user timeout),
AUTODEL (auto-delete inactive), AUTODELTIME,
WMAX (world max size), GPACK (graphics pack),
SQL_SERVER, SQL_USER, SQL_PASS, SQL_DB, TB_PREFIX,
CONNECT_TYPE (MySQLi=1, MySQL=0),
ADMIN_EMAIL, ADMIN_NAME, SUBDOM (subdomain),
LOG_BUILD, LOG_TECH, LOG_LOGIN, LOG_GOLD_FIN, LOG_ADMIN, LOG_WAR, LOG_MARKET, LOG_ILLEGAL,
MIN_USERLENGTH, MIN_PASSLENGTH, SPECIALCHARS (allow in usernames),
ACTIVATE (email activation), ADMIN_RANK, ACT_CENSOR (censorship), CENSORED_WORDS

Extensive configurability (game speed, logging, registration rules, censorship), but no security hardening (credentials in plaintext PHP file).

---

Game Type: Persistent World Browser Strategy MMOG (Travian Clone)

Core Gameplay Loop:

• Village Management:
• Start with 1 village (Romans/Gauls/Teutons)
• 18 resource fields (4 wood, 4 clay, 4 iron, 6 crop)
• Upgrade fields to increase production (levels 1-10+)
• Build 30+ building types in village center
• Buildings: Resources (warehouse, granary), Military (barracks, stable, workshop, residence), Economy (marketplace, smithy), Defensive (wall, traps)

• Resource Production:
• 4 resources: Wood, Clay, Iron, Crop
• Real-time generation (passive income while offline)
• Upgrade resource fields and buildings for faster production
• Trade resources via marketplace

• Military:
• Train units: Infantry, Cavalry, Siege (30+ unit types across 3 tribes)
• Research technologies in Academy
• Attack other players (raid for resources, conquer villages)
• Defend against attacks (wall defense, stationing troops)
• Reinforce allies (send defensive troops)

• Expansion:
• Build Palace/Residence → train Settlers → found new villages
• Conquer enemy villages via Senators/Chiefs (reduce loyalty)
• Multi-village empire (max villages determined by population)

• Alliances:
• Join/create alliances with other players
• Alliance permissions (leader, advisor, recruiter)
• Diplomacy: War, Alliance, NAP (non-aggression pact)
• Coordinate attacks, share resources, defend together

• World Map:
• 801x801 coordinate grid (640,801 potential villages)
• Players scatter across map (random starting positions)
• Strategic locations (oases for resource bonuses)
• Send scouts to explore, attacks to raid/conquer

• Reports & Communication:
• Detailed combat reports (attackers, defenders, casualties, loot)
• Messaging system (PM other players)
• Alliance forums (external phpMyChat integration)

• Progression:
• Statistics/rankings (top players, alliances, attackers, defenders)
• Achievements implied (though not implemented in v0.0.3)
• Long-term goal: Dominate server (most villages, strongest alliance)

Plus Account (Premium):

// plus.php - Premium features
// Likely includes:
// - Extra building queue slots
// - Faster unit training
// - NPC trader (instant resource conversion)
// - Map overlays
// - Gold for speeding constructions

Freemium model: Free to play, pay for convenience/speed.

Time Investment:

• Casual: 15-30 min/day (check resources, upgrade buildings, train troops)
• Active: 2-4 hours/day (coordinate attacks, manage multiple villages)
• Hardcore: 8+ hours/day (alliance leadership, war campaigns)

Travian is notorious for requiring 24/7 attention during wars (timed attacks overnight).

Replayability: Low (single-server progression, eventual dominance by veterans), but Travian/Kravian servers typically "reset" every 6-12 months for new rounds.

---

Modernization Effort: $18,000 - $24,000 (240-320 hours)

Priority 1: Security Overhaul (80-120 hours, $6K-$9K):

• Implement prepared statements (replace all 1,281 lines of direct SQL in db_MYSQLi.php)
• Add input validation layer (whitelist validators for all $_GET/$_POST)
• Replace MD5 with bcrypt (password_hash()/password_verify())
• Implement CSRF tokens for all forms
• Add htmlspecialchars() to all output
• Secure installer (move credentials to .env, delete installer post-setup)
• Add rate limiting (login attempts, API calls)
• Implement HttpOnly/Secure session cookies
• Add SQL injection protection (parameterized queries, ORM consideration)
• XSS protection (Content Security Policy headers)

Priority 2: Architecture Refactoring (60-80 hours, $4.5K-$6K):

• Split db_MYSQLi.php (1,281 lines) into repositories:
• UserRepository, VillageRepository, AllianceRepository, CombatRepository, MarketRepository, MessageRepository
• Introduce proper MVC framework (Laravel/Symfony/Slim)
• Replace inline PHP templates with Twig/Blade
• Centralize configuration (replace constant.php with .env and config classes)
• Remove dead code (db_mysql_bak.php, empty folders)
• Standardize language (all English filenames: dorf1.php → village_resources.php, berichte.php → reports.php)

Priority 3: Complete Missing Features (40-60 hours, $3K-$4.5K):

• Build admin panel (cpanel/admin/, cpanel/moderator/)
• Complete language system (expand from 10% to 100%)
• Finish building demolition feature ("pending debug")
• Complete a2b.php development ("partially developed")
• Add missing validation (building prerequisites, resource costs, tribe restrictions)

Priority 4: Modern Tech Stack (30-40 hours, $2.25K-$3K):

• Upgrade to PHP 8.x
• Replace deprecated mysql_* functions (remove db_MYSQL.php, keep only MySQLi)
• Add Composer for dependency management
• Implement PSR-4 autoloading
• Add PHPUnit tests (unit tests for combat simulation, resource calculation)
• Dockerize deployment (LAMP stack container)

Priority 5: Legal Compliance (20-30 hours, $1.5K-$2.25K):

• REBRAND: Change name from "Kravian" (Travian clone) to something original
• Replace all Travian graphics (create original art or license free assets)
• Rewrite UI text (avoid copying Travian's exact wording)
• Remove "Travian" references from code (alt="Travian", CSS class logo_plus)
• Consider consulting IP lawyer (Gameforge has sued clones before)

Priority 6: UI/UX Improvements (10-20 hours, $750-$1.5K):

• Responsive design (mobile-friendly - Travian is desktop-only)
• Modernize CSS (replace 2010-era tables with Flexbox/Grid)
• Add AJAX for smoother interactions (currently full-page reloads)
• Improve accessibility (ARIA labels, keyboard navigation)

Optional Enhancements:

• WebSocket integration for real-time attack notifications
• REST API for mobile app development
• Redis caching for world map data
• CDN for static assets
• Social login (OAuth - Google/Facebook)

Total Modernization Cost:

• Minimum (240 hours): $18,000 @ $75/hr
• Maximum (320 hours): $24,000 @ $75/hr

Biggest Challenge: Legal compliance. This is a Travian clone using stolen assets. Even with security fixes, deploying this publicly risks C&D letters or lawsuits from Gameforge/Travian Games. Recommend complete rebrand and original art before any public deployment.

Maintenance: Once modernized, expect $500-$1,000/month ongoing costs (server hosting, DDoS protection, bug fixes, game balance patches, community management).

---

Release Period: May 2010 (Rev 0.0.3)

PHP Era: PHP 5.3.0 (released June 2009)

Travian Era: 2004-2010 peak (Travian launched 2004, became EU phenomenon)

2010 Browser Gaming Landscape:

• Travian Dominance:

Travian (2004) was the king of browser strategy games in Europe. Millions of players across hundreds of servers. Spawned countless clones (Ikariam, TribalWars, Grepolis). Kravian is yet another attempt to copy Travian's success.

• PHP 5.3 Modern Features (June 2009):
• Namespaces (not used in Kravian)
• Late Static Binding (not used)
• Closures/Lambda functions (not used)
• goto operator (thankfully not used!)
• MySQLi still preferred over deprecated mysql_*

Kravian uses none of these modern PHP 5.3 features. Code style is still PHP 4/5.2-era procedural OOP.

• Browser Game Clone Epidemic:

2006-2010 saw explosion of Travian/OGame clones. Easy to clone (open-source PHP), hard to differentiate, profitable if ads/premium accounts succeed. Most died within 1-2 years due to:

• Legal threats from Travian Games/Gameforge
• Lack of player base (competing against established games)
• Poor security (DDoS, hacking killed many clones)
• No innovation (why play clone when original exists?)

• Travian's Legal Actions:

Gameforge/Travian Games aggressively defended IP:

• C&D letters to clone developers
• Lawsuits for trademark infringement
• DMCA takedowns for stolen graphics
• Server shutdowns via hosting provider complaints

Kravian's Place:

One of hundreds of Travian clones built 2008-2012. "Kravian" name itself shows lack of creativity (Travian → Kravian anagram). Development stalled at v0.0.3 (incomplete beta), likely due to:

• Developer realized legal risks
• Lack of player interest (Travian still dominant)
• Security issues made deployment impractical
• Monetization challenges (can't compete with Travian's scale)

Why It Matters:

Kravian represents the Travian clone gold rush of late 2000s. Demonstrates:

• How influential Travian was (spawned entire genre)
• Futility of cloning without innovation
• Legal risks of IP theft in gaming
• Why open-source game engines need strong licenses

Comparable Projects:

• TravianZ: Another open-source Travian clone (2008-2011), more complete than Kravian
• TravianT4: Travian 4.x clone (2012+), active but legally gray
• Ikariam clones: Same story (see game #31 in this collection)

Legacy: Kravian itself has no legacy (never publicly deployed, abandoned in beta). But it's a fossil from browser gaming's clone wars era, showing the technical debt, security flaws, and legal landmines that doomed most clones.

---

Overall Rating: 3/10

Strengths:

• Comprehensive Travian mechanics implemented (villages, combat, alliances, world map)
• Decent class-based architecture (16 engine classes)
• Database abstraction (MySQLi/MySQL dual support)
• Extensive logging infrastructure (7 audit tables)
• Template system (330 .tpl files)
• Real-time resource generation
• Multi-language support (partial)
• Well-designed database schema (31 tables)

Critical Flaws:

• ILLEGAL: Unauthorized Travian clone (trademark/copyright infringement)
• INCOMPLETE: v0.0.3 beta, admin panel missing, many features "pending debug"
• CATASTROPHIC SECURITY: No input sanitization, SQL injection everywhere, MD5 passwords, zero XSS protection
• 1,281-line database monolith (God Object anti-pattern)
• No input validation layer
• Stolen Travian graphics (travian_0002/ graphics pack)
• Mixed languages (German filenames, English classes, Spanish dev emails)
• Dead code (empty folders, backup files committed)
• Zero innovation (pure Travian clone, no original ideas)

Deployment Recommendation: NEVER DEPLOY PUBLICLY

Reasons:

• Legal: Gameforge/Travian Games will sue for trademark/copyright infringement
• Security: Trivial SQL injection, XSS, credential theft, privilege escalation
• Incomplete: Missing admin panel, partial features, beta quality
• Unethical: Stealing copyrighted game mechanics and graphics

Educational Value: 5/10

What We Learn:

• How NOT to Clone a Game:
• Kravian shows the pitfalls of lazy cloning (stolen name, stolen art, zero innovation)
• Demonstrates why clones fail (legal threats, no differentiation, security disasters)

• 2010 PHP Security Mistakes:
• Textbook example of what NOT to do: direct SQL interpolation, no htmlspecialchars, MD5 passwords, insecure installers
• Perfect case study for SQL injection training

• God Object Anti-Pattern:
• db_MYSQLi.php (1,281 lines) is a poster child for why God Objects are maintainability nightmares
• Shows importance of repository pattern

• Browser MMOG Architecture:
• Despite flaws, database schema is well-designed for persistent world games
• Demonstrates resource management, combat simulation, alliance systems, real-time progression

• Incomplete Projects:
• Illustrates importance of scope management (ambitious Travian clone abandoned in beta)
• Empty folders, placeholder files, "pending" features show poor project completion

Who Should Study This:

• Security Students: Excellent real-world SQL injection/XSS case study
• PHP Developers: Learn refactoring patterns (how to split monolithic DB classes)
• Game Designers: Study Travian's influential mechanics (even via clone)
• IP Lawyers: Example of copyright infringement in gaming

Who Should NOT Deploy This:

• Anyone (see legal/security reasons above)

Best Use Case: Security Training / Refactoring Workshop

Convert Kravian into a teaching tool:

• Before: Show insecure code (1,281 lines of SQL injection)
• After: Refactor with prepared statements, input validation, repository pattern
• Exercise: Have students find vulnerabilities, write exploits, then secure them
• Legal Lesson: Discuss IP law in gaming (why clones fail)

Tier Ranking: Tier 3 - Abandoned Beta (Historical Artifact Only)

Verdict: Kravian is a cautionary tale from browser gaming's Travian clone gold rush (2008-2012). Shows how NOT to clone a successful game (steal everything, innovate nothing, deploy insecurely, ignore legal risks). Interesting as a code archaeology specimen for studying 2010-era PHP mistakes and browser MMOG mechanics, but absolutely not deployable. The complete absence of input sanitization combined with illegal Travian IP theft makes this a dual-threat legal and security disaster.

If You Want to Build a Browser Strategy Game:

• Study Kravian's mechanics (database schema is solid)
• Don't copy Travian - innovate with unique mechanics, setting, art
• Secure everything from day 1 (prepared statements, input validation, bcrypt)
• Use modern frameworks (Laravel/Symfony, not raw PHP)
• Consult an IP lawyer before launching
• Budget for community management, anti-cheat, 24/7 support

Kravian proves: Great game design (Travian's) + terrible execution (insecure clone) + legal risk (IP theft) = doomed project. Learn from its mistakes, not its code.