Arm, upgrade, and unleash your battle-ready automata in Robot Warz—an art-rich, Russian‑language combat RPG built for fast, tactical showdowns. Master a unique four-zone kick/block system, equip from 17 gear slots, and choose from hundreds of weapon and armor prototypes to craft the perfect build. Real-time chat, clan warfare, and an arena-centric flow keep the action nonstop.
Beyond the arena, gather resources in the forest, navigate labyrinth challenges, trade in NPC and player markets, construct buildings, and advance through a deep progression system. With extensive graphics and content, Robot Warz brings a distinctive sci-fi flavor to classic browser RPG combat.
Game Name: Robot Warz
Version: Unknown (database dated 2007-10-21)
Genre: Web-based RPG robot battle game
Developer: Unknown (contact:
Language: Russian (windows-1251 charset)
Technology: PHP + MySQL
Server: http://robotwarz.ru
License: Likely commercial/proprietary
Release Era: ~2007-2008
Database Date: 2007-10-21 (from SQL dump filename)
---
Total Files: 1,195
File Breakdown:
Total Size: ~11.7 MB (5.6 MB graphics!)
Key Directories:
/ - 118 PHP game files (flat structure)/modules/ - 17 function modules/help/ - Help documentation/css/ - Stylesheets/js/ - JavaScript/labirint/, /labirint2/ - Maze minigame/forest/ - Forest gathering minigame/exchange/ - Trading system/logs/ - Battle logs/usersimage/ - User uploads/test/ - Testing files---
PHP Architecture:
Database Configuration (inc_config_db.php):
`php
$user='ru-robotwarz';
$pass='f8157afbec';
$host='80.93.49.170';
$baza='ru-robotwarz';
$httpServer='http://robotwarz.ru';
$httpPrefix='/';
$imgPath='usersimage/';
`
NOTE: Hardcoded production credentials exposed!
lib.php (Core Loader):
`php
require('inc_config_db.php');
$db=mysql_connect($host,$user,$pass) or die('Server Error');
mysql_select_db($baza,$db);
mysql_query('SET names cp1251');
// Load all system variables from config table
$vars=mysql_query('select var, val from config');
while($vr=mysql_fetch_array($vars)) $$vr['var']=$vr['val'];
// Dynamic module loading
$handle=opendir($path.'modules');
while(false!==($file=readdir($handle)))
if(eregi("function.php$",$file)) include($path.'modules/'.$file);
closedir($handle);
`
Dynamic Variable Injection: Uses $$var to create global variables from database!
17 Modules (modules/ directory):
40+ Tables (ru-robotwarz_2007-10-21_02-32.sql):
Core Tables:
users - Player accounts (70+ fields!)accounts - Multi-character systemconfig - System variablescontent - CMS contentCombat System:
battle_request - Battle matchmakingbattle_movie - Turn-by-turn replay datauser_in_battle - Active combatantsattacklogs - Historical logsItem System (Comprehensive!):
item - Actual items (2.4M+ IDs!)item_prototype - Item templates (465 prototypes)item_group - Equipment categories (17 groups)gosshop - Government shop inventorycomission - Consignment shopinventory - Player items (via users_bags)users_bags - Equipped itemsClans:
clan - Guild systemclan_permission - Permissionsclan_weapon - Shared weaponsLocations:
built - Player buildingsforest - Foraging data (25 resource types!)Chat/Communication:
chat_private - Private messagessms - System messagesmessage_log - Chat historyEconomy:
game - Player-owned gamblinggosshop - NPC shop inventorycomission - Player marketcrystal_market (implied)Minigames:
labirint - Maze gameexpire - Level exp tablesModeration:
bad_boys - Punishmentsalog - Admin logsslog - System logsSession-Based:
`php
// action.php login
if(strcmp(md5($_POST['pass']),$r['passw'])==0 and $r['status']==ENABLED) {
session_start();
session_register('login','pass','startTime','current_user_ip');
$_SESSION['login']=$_POST['login'];
$_SESSION['pass']=md5($_POST['pass']); // Stores hashed password
$_SESSION['startTime']=time();
$_SESSION['current_user_ip']=USER_IP;
mysql_query('update users set sesid="'.session_id().'" where id='.$r['id']);
$t='index.php';
}
`
Password Storage: MD5 hashing (no salt)
Access Control (lib.php):
`php
function checkAdmin() {
global $User;
if(!isset($_SESSION['login']) or !isset($_SESSION['pass'])) return false;
// Loads user data into $User global
return true;
}
`
---
index.php (Frameset Layout):
`html
`
3-Panel Layout: Main game area + Chat/Online + Toolbar
User Stats (users table - 70+ fields!):
Combat Modifiers:
17 Equipment Slots (item_group):
465 Item Prototypes:
Item Properties (item_prototype):
`php
`
4-Zone Block System:
PvP Arena (arena.php):
Battle Matchmaking (battle_request):
`php
`
Turn-Based Combat (battle.php):
Combat Actions:
`php
kick: 0-3 (4 attack zones)
block: 0-3 (4 defense zones)
`
Combat Mechanics (battle_movie):
`php
// Each turn records:
`
Combat Calculation:
`php
// battle.php lines 62-88
calculate_item_bonus(&$User);
calculate_item_bonus(&$enemy_data);
$fight_data=calculate_kick_power($User, $enemy_data);
// Damage application
$User['health']-=$fight_data['uron_defender'];
$enemy_data['health']-=$fight_data['uron_attacker'];
`
Battle Outcomes:
Item Durability Loss (crash_item):
`php
CRASH_WINNER_ITEM
CRASH_ADV_ITEM
CRASH_LOST_ITEM
// Random item loses durability based on outcome
`
Injury System (travma_function.php):
`php
travma['level']:
`
Accounts (account.php):
`php
// Players can create multiple sub-accounts
`
Account Management:
City Map (main.php):
Locations (image map):
Room System:
`php
$User['room']: 0=main, 1=arena, 2=shop, etc.
// Updates chat/online frames on location change
`
Maze Exploration (labirint.php, labirint2/):
`php
$User['labirint_hol']: Current maze level/room
// Navigation: rotateleft, rotateright, forward, back
// Exit cost: 5 money if not completed
`
Canalization (canalization.php):
`php
// Similar maze system
in_array($_GET['action'], array('rotateleft','rotateright','forward','back'))
`
Forest Gathering (forest.php):
25 Resource Types (forest table):
Foraging Mechanics:
Government Shop (shop.php):
`php
gosshop table: 597 items with inventory counts
// NPC shop with limited stock
`
Comission Shop (comission.php):
`php
// Player-to-player market
`
Clan Weapons (clan_weapons.php):
`php
clan_weapon table:
// Shared clan equipment
`
Player Buildings (built table):
`php
// Economic production buildings
Resources: almaz (diamond), ugol (coal), wood, steel, gold, rood
`
Gambling (game table):
`php
mount, glas: Player-owned gambling machines
`
Real-Time Chat (chat.php, room.php):
`php
// Delayed insert for performance
mysql_query('insert delayed into message_log...');
`
Private Messages (chat_private):
`php
// Colored messages with HTML styling
''.$message.''
`
System Messages (sms table):
`php
add_private_system_message($text, $user_name='', $from='System');
`
Clan Features (clan_room.php):
Clan Permissions (clan_permission):
`php
permission: 1-9 (various privileges)
`
Admin Panel (admin.php):
Punishment System (bad_boys):
`php
`
Mage Class (mage.php):
`php
// Magic casting system
$message // Spell message
mysql_query('insert delayed into message_log...');
`
Magic Scrolls (item_prototype):
`php
id=236-240:
magic: 1-6 (effect IDs)
`
Gift Items (present01-present19):
`php
// 19+ gift types for social features
`
Flowers (17 flower types):
`php
// Social items (dating/friendship)
`
Help Documentation (help/):
Status Management (status.php):
`php
// Level-up, item effects, buffs/debuffs
mysql_query('insert delayed into message_log...');
`
---
1. Hardcoded Production Credentials (EXPOSED!):
`php
// inc_config_db.php lines 3-6
$user='ru-robotwarz';
$pass='f8157afbec';
$host='80.93.49.170';
$baza='ru-robotwarz';
`
2. Dynamic Variable Injection:
`php
// lib.php lines 10-11
$vars=mysql_query('select var, val from config');
while($vr=mysql_fetch_array($vars)) $$vr['var']=$vr['val'];
`
3. SQL Injection (WIDESPREAD):
`php
// Battle.php line 57 (no validation!)
$enemy_id=(int)$_POST['enemy_id'];
// action.php lines 35-36
$rlogin=stop_sql_injection(prepare_str(trim($_POST['rlogin'])));
// Custom function, but...
// edithome.php line 32
$object=mysql_fetch_array(mysql_query("select * from built where id=".$_GET['obj']));
// Direct $_GET injection!
`
stop_sql_injection() uses custom escaping:
`php
// main_function.php (implied)
function prepare_str($str) {
$s=eregi_replace('"','"',killSlashes($str));
$s=eregi_replace("'",'’',$s);
// HTML entity encoding, NOT SQL escaping!
}
`
mysql_escape_string() consistentlymysql_escape_string() (13 matches)4. MD5 Password Hashing (No Salt):
`php
// action.php lines 15, 19, 79
md5($_POST['pass'])
md5($pass1)
`
5. Deprecated Functions:
`php
session_register('login','pass','startTime','current_user_ip');
eregi() // Removed PHP 5.3+
mysql_connect() // Removed PHP 7.0
`
6. File Upload System:
`php
$imgPath='usersimage/';
// Directory for user uploads (potential path traversal)
`
7. Session Fixation:
8. Information Disclosure:
`php
die('Server Error'); // Generic error, but still leaks info
`
9. CSRF Vulnerable:
10. Input Validation (Partially Implemented):
`php
// battle.php lines 61-64 (GOOD!)
if(!in_array((int)$_POST['kick'],array(0,1,2,3)) or
!in_array((int)$_POST['block'],array(0,1,2,3))) {
header('Location: battle.php');
exit;
}
`
Rationale:
Cannot Deploy: Credentials exposed, SQL injection everywhere
---
Positive Aspects:
Negative Aspects:
1. Multi-Account System:
2. Building Production:
3. 4-Zone Combat:
4. Injury System:
5. Comprehensive Foraging:
6. Item Modification:
7. Real-Time Combat Logs:
`php
// battle.php lines 78-79
fputs($fp, '
'.date('H:i').' '.$fight_data['action_attacker']);
// Writes HTML battle log to logs/ directory
`
Massive Item IDs:
`php
// item table: id starts at 2440177
// Suggests millions of items created/destroyed over time
`
Production Server Data:
`php
// SQL dump contains actual player data:
`
Level System:
`php
// expire table: 21 levels
Level 1: 58 exp, 4 money
Level 20: 4,286,914 exp, 16,775 money
Level 21: 2,147,483,647 exp (INT_MAX!)
`
---
Year: ~2007-2008
Evidence:
PHP Context: PHP 5.2 era
Web Gaming Context:
Cultural Context:
Game Style:
Influenced By:
Similar Games in Collection:
Unique Features:
---
Fully Implemented ( ):
Partially Implemented (⚠️):
Missing ( ):
Playable: YES (but INSECURE)
Requirements:
Installation:
Production Readiness: 0/10
Combat System:
Economy:
Progression:
Social Features:
---
Size: Medium
Security: POOR
Features: VERY HIGH
Graphics: EXCEPTIONAL
Code Quality: Poor
vs Solar Empire (Game 62 - 1/10):
vs Ravan (Game 56 - 4/10):
vs Solar Imperium (Game 63 - 9/10):
Strengths:
Weaknesses:
Overall Collection: 40-45th/79
---
| Aspect | Score | Notes |
|---|---|---|
| Security | 4/10 | Hardcoded credentials, SQL injection, MD5 passwords |
| Code Quality | 3/10 | Framesets, deprecated functions, flat structure |
| Features | 9/10 | 465 items, 4-zone combat, clans, economy, minigames |
| Completeness | 9/10 | 90% complete, polished systems |
| Graphics | 10/10 | 900 GIFs (5.6 MB artwork) - EXCEPTIONAL |
| Innovation | 7/10 | 4-zone combat, multi-account, building production |
| Balance | 7/10 | Turn-based fairness, extensive equipment tiers |
| Playability | 7/10 | Works on PHP 5.2, complete game loop |
| Maintainability | 2/10 | Deprecated functions, hardcoded credentials |
"Graphics-Rich Russian Combat RPG with Hardcoded Credentials Disaster"
900 GIF Graphics - Most artwork-heavy game analyzed!
465 Item Prototypes - Extensive equipment variety
4-Zone Combat - Unique strategic depth
Building Production - Economic simulation
25 Foraging Resources - Comprehensive gathering
Multi-Account System - Alternate character support
Clan Features - Guilds with shared weapons
Modular Architecture - 17 function modules
Turn-Based Combat Replay - Battle movie system
Injury Mechanics - Combat restrictions add depth
Real-Time Chat - Delayed inserts for performance
HARDCODED PRODUCTION CREDENTIALS - Database/FTP passwords exposed!
SQL INJECTION EVERYWHERE - Direct $_GET/$_POST in queries
MD5 PASSWORDS - No salt, rainbow table vulnerable
FRAMESET UI - Obsolete since ~2000
DYNAMIC VARIABLE INJECTION - $$var creates globals from DB
DEPRECATED FUNCTIONS - eregi, session_register, mysql_*
FLAT FILE STRUCTURE - 118 PHP files in root
WINDOWS-1251 ENCODING - Not UTF-8
NO CSRF PROTECTION - Forms lack tokens
SESSION FIXATION - No regeneration on login
Robot Warz is a feature-rich Russian robot combat RPG with exceptional graphics (900 GIFs!), sophisticated gameplay systems (4-zone combat, building production, multi-accounts), and comprehensive content (465 items, 25 resources). However, it contains one of the WORST security practices possible: hardcoded production database and FTP credentials directly in the source code. Combined with widespread SQL injection, MD5 passwords, and an obsolete frameset UI, this game is completely undeployable in any modern environment.
The hardcoded credentials in inc_config_db.php expose the entire production database (host='80.93.49.170', user='ru-robotwarz', pass='f8157afbec'). This is Security 101 violation - credentials must NEVER be in source code. Additionally, SQL injection is everywhere due to custom escaping functions that use HTML entity encoding instead of proper SQL escaping.
Beyond the catastrophic security issues, the game uses obsolete technologies: framesets (abandoned ~2000), deprecated PHP functions (eregi, session_register, mysql_), and windows-1251 encoding. The code requires PHP 5.2-5.6 and is incompatible with PHP 7.0+ due to removed mysql_ functions.
As a piece of gaming history, Robot Warz demonstrates the Russian browser RPG scene of 2007-2008, with extensive artwork (5.6 MB graphics!), sophisticated combat mechanics (4-zone system), and unique features (multi-account support, building production economy). The 465 item prototypes and 25 foraging resources show impressive content depth.
The game would require 100-200 hours of complete rewrite to be remotely safe: remove all credentials, convert to PDO, replace MD5 with bcrypt, modernize the UI (remove framesets), upgrade to PHP 8.x, implement UTF-8, add input validation, implement CSRF protection, and restructure the file organization. Until then, it's a hacking playground.
High - Represents peak of Russian browser RPG development (2007-2008), demonstrates graphics-heavy approach (900 GIFs), showcases sophisticated combat mechanics (4-zone system), preserves multi-account gameplay innovation, documents frameset UI era, contains production database dump (historical snapshot), serves as cautionary tale about credential management, and provides reference for building production economies in browser games.
---
Running many of the scripts in this archive on a live server presents a serious security risk. These projects were created before modern hardening practices and may contain vulnerabilities that can compromise your system.
We strongly recommend using this code for reference and analysis only, or in isolated local environments. By downloading these files, you accept full responsibility for their use.