Vice Warz is a fast-moving mafia RPG built around crews, cashflow, and conflict. Assemble your gang, declare wars and raids, work patrols for steady income, and climb rankings through PvP attacks and hitlists. The flow is constant: train, equip, attack, bank, and brag as your crew builds reputation and power.
With point sales, VIP, and aggressive monetization, it captures the 2006 browser-RPG zeitgeist where social rivalry and daily timers defined the loop. Expect shoutbox drama, crew politics, and cron-driven events that keep the streets hot.
Name: Vice Warz
Developer: Kyle Piontek (ViceWars.com)
Year: 2006 (SQL dump dated April 11, 2006)
Genre: Online Mafia/Crime RPG with crews (gangs)
Type: Text-based browser crime game with monetization
License: Proprietary with restrictive ToS
---
Total Files: 195
File Breakdown:
Total PHP Lines: 7,577
Database Schema: 644 lines, 33 tables
Average File Size: 86 lines per PHP file
Key Files:
config.php - HARDCODED DATABASE CREDENTIALS!vice_main.sql - 644-line database schemaindex.php - 297 lines (homepage with rankings)attack.php - 272 lines (PvP combat)crews.php - Crew (gang) managementregister.php - 241 lines (massive ToS wall)Technology Stack:
)---
Vice Warz follows a simple page-per-feature architecture:
`
vice_warz/
├── index.php # Homepage (news, rankings, shoutbox)
├── register.php # Registration with massive ToS
├── login.php # Authentication
├── config.php # EXPOSED DATABASE CREDENTIALS
├── header.php # Common header
├── footer.php # Common footer
├── attack.php # PvP combat system
├── crews.php # Gang management
├── shop.php # Item purchases
├── training.php # Stat training
├── battle.php # Team battles
├── mail.php # Messaging
├── bank.php # Banking system
├── patrol.php # Income missions
├── hitlist.php # Bounty system
├── forums.php # Forums
├── cron_*.php # 6 cron jobs!
└── finalize-*.php # Payment processing
Database Connection (config.php):
`php
$username = "vice_kp"; // HARDCODED!
$password = "thisisme"; // PLAINTEXT IN SOURCE!
$hostname = "localhost"; // PUBLIC IN CODEBASE!
$dbh = mysql_connect($hostname, $username, $password);
$selected = mysql_select_db("vice_main",$dbh);
// Cookie authentication - NO VALIDATION!
if ($_COOKIE['user']) {
$stat = mysql_fetch_array(mysql_query(
"select * from users where name='$user' and pass='$pass'"
));
}
`
Security Disasters:
$_COOKIE in queries)---
User Management:
users - 70+ fields (level, money, bank, class, VIP, profile pic)login_log - IP trackingmail - Private messagingCombat & Competition:
attack_log - PvP battle recordsattacks - Attack tracking (daily limits)battle_arena - Team battlesbattle_team1, battle_team2 - Team rostersbattle_log - Battle historyhitlist - Bounty systemCrew System (Gangs):
crews - Gang data (70+ fields!)crew_allies - Gang alliancescrew_bank_log - Crew bankingcrew_forums - Private crew forumscrew_hitlist - Crew bountiescrew_invites - Recruitment systemcrew_money_log - Crew transactionscrew_raids - Cooperative raidscrew_upgrades - Crew enhancementscrew_war_req - War declarationscrew_wars - Active warsEconomy:
shop - Item shopupgrades - Character upgradesmoney_log - Transaction trackingbank - Banking (not shown in CREATE TABLE list, may be in users)Monetization:
point_log - Points (premium currency) trackingpaypal_raw - PayPal IPN dataContent & Social:
news - Announcementsshoutbox - Public chat (buy shoutbox posts!)forums - Forum systempoll - Votingsupport - Ticket systemGameplay:
patrol - Income missionsturn - Turn-based timerclick_log - Anti-cheat (click tracking)underlings - Referral systemMysterious:
core - Purpose unclear (possible game core settings)---
Character Progression:
Money System:
PvP Attacks:
`php
// attack.php
// - Attack limit per day
// - Max 10 attacks per action
// - Cannot attack crew members
// - Cannot attack allied crews
// - Captcha verification required
// - Steals cash on win
`
Attack Mechanics:
Team Battles:
Crew Structure:
Rank Permissions:
Crew Features:
Elemental System:
`sql
fire bigint(255)
water bigint(255)
ice bigint(255)
earth bigint(255)
sand bigint(255)
stone bigint(255)
`
Purpose: Likely crew power-ups or collectibles
Cash Flow:
Points System (Premium Currency):
VIP Membership:
vip_days_left fieldBanking:
Shoutbox:
Mail System:
Forums:
Polls:
Profiles:
Hitlist (Bounties):
Referral System:
parentid/parentname trackingPatrol System:
Security Questions:
Support Tickets:
Inactive System:
Six automated tasks:
cron_minute.php - Every minutecron_five.php - Every 5 minutescron_ten.php - Every 10 minutescron_eleven.php - Every 11 minutes (?)cron_hour.php - Every hourcron_day.php - Daily resetLikely handle:
---
1. HARDCODED DATABASE CREDENTIALS (CRITICAL+++)
`php
// config.php - PUBLICLY ACCESSIBLE!
$username = "vice_kp";
$password = "thisisme";
$hostname = "localhost";
`
2. PLAIN-TEXT PASSWORDS (CRITICAL)
`php
// NO PASSWORD HASHING ANYWHERE!
$stat = mysql_fetch_array(mysql_query(
"select * from users where name='$user' and pass='$pass'"
));
`
3. SQL INJECTION EVERYWHERE (CRITICAL)
`php
// Cookie values used directly in SQL!
$stat = mysql_fetch_array(mysql_query(
"select * from users where name='$user' and pass='$pass'"
));
// $user and $pass come from $_COOKIE - UNSANITIZED!
$attack1 = mysql_query("select * from users where name = '$aname'");
// $aname from $_POST - UNSANITIZED!
`
4. COOKIE-BASED AUTHENTICATION (HIGH)
`php
if ($_COOKIE['user']) {
// Logged in!
}
`
5. SHORT PHP TAGS (LOW)
`php
// Instead of
`
6. DEPRECATED MYSQL FUNCTIONS (MEDIUM)
`php
mysql_connect()
mysql_query()
mysql_fetch_array()
// All deprecated in PHP 5.5, removed in PHP 7.0
`
7. NO INPUT VALIDATION (HIGH)
`php
if (is_numeric($attacks) == False) // Only numeric check found
// No other validation
// XSS possible in shoutbox, profile, messages
`
8. CAPTCHA BYPASS RISK (MEDIUM)
`php
$det=base64_decode($det);
if ($det != $imgcode) {
// Fail
}
// Base64 encoding for security? Really?
`
---
Vice Warz represents commercial browser RPG development circa 2006:
Business Model:
Common Practices (for 2006):
Uncommon (even for 2006):
From ToS:
Red Flags:
Buy Everything:
Pay-to-Win Indicators:
---
FULLY IMPLEMENTED:
Registration with ToS wall
Login/authentication (insecure but functional)
Character system (level, exp, money)
PvP combat with captcha
Crew system (create, join, manage)
Crew ranks and permissions
Crew wars and alliances
Attack logging
Team battles
Hitlist/bounty system
Banking system (deposits, transfers)
Shop system
Upgrades system
Mail/messaging
Shoutbox
Forums
Polls
Support tickets
Profile customization
Image uploads
Patrol missions
Income system
Turn-based mechanics
Referral system
PayPal integration
Point sales
VIP membership
Cron jobs (6!)
Admin/Moderator tools
IP logging
Anti-cheat (click log, attack check)
UNCLEAR:
⚠️ Patrol mission content
⚠️ Stone collection purpose
⚠️ Raid mechanics
⚠️ Class differences
⚠️ Upgrade effects
MISSING/INCOMPLETE:
Stat training details
Item descriptions
Battle calculations (damage formulas)
What Works:
What's Broken:
Performance Issues:
---
| Game | Password Hash | SQL Injection | DB Credentials | Rating |
|---|---|---|---|---|
| Vallheru | MD5 | Protected (ADOdb) | Separate config | 7/10 |
| VA-RPG | MD5 | Partial escape | Separate config | 2/10 |
| Ugamela TT | MD5 | Partial escape | Separate config | 4/10 |
| Vice Warz | PLAIN TEXT | NONE | HARDCODED | 0/10 |
Only Game With:
Monetization Leader:
---
Breakdown:
Vice Warz is a cautionary tale in browser game security:
What NOT to Do:
Business Model:
Code Quality:
Cannot Be Revived:
If Attempting Revival:
Perfect Teaching Example:
Use Cases:
---
Vice Warz holds the dubious honor of being the least secure game out of 79:
The Triple Threat:
If Vice Warz Had Gone Live:
Why It Matters:
Comparison:
If You Remember One Thing:
Vice Warz is the game where the database password was literally "thisisme" and stored in the publicly-accessible config.php file.
---
Database Size: 644 lines SQL (33 tables)
PHP Version Required: 5.2-5.6 (short_open_tag, mysql_* functions)
MySQL Version: 4.0-5.7 (MyISAM tables)
Browser Requirements: Cookies, JavaScript (tooltips)
Security Status: COMPROMISED BY DESIGN
Cannot Deploy:
Deployment Difficulty: 2/10 (easy to deploy, impossible to secure)
Maintenance Difficulty: 10/10 (security nightmare)
Revival Difficulty: IMPOSSIBLE (complete rewrite required)
---
Analysis Date: December 11, 2024
Game #70 of 79 in the Vintage Browser RPG Collection
Status: Feature-complete but catastrophically insecure
Verdict: DO NOT DEPLOY - Security teaching tool only
Special Distinction: Worst security in entire collection 🏆💀
Running many of the scripts in this archive on a live server presents a serious security risk. These projects were created before modern hardening practices and may contain vulnerabilities that can compromise your system.
We strongly recommend using this code for reference and analysis only, or in isolated local environments. By downloading these files, you accept full responsibility for their use.