Dragon Sword

Game Title: DragonSwords (stylized DragonSwords)

Version: Unknown (unversioned, circa 2001-2004)

Author/Studio: Remixication Inc. (Remix)

Active Period: 2001-2004 (per copyright notices)

Genre: Web-based MMORPG / Medieval fantasy RPG with clans

Language: PHP 4.x

License: Proprietary / Private installation

Official Site: dsrpg.com / dsrpg.co.uk (historical, now offline)

Contact Email: This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it.

Historical Context

DragonSwords was an active commercial/community web-based RPG that ran from 2001-2004, operated by Remixication Inc. The game featured a complex clan system with diplomacy, ranks from "Peasent" [sic] to "Royal," and multiple resource types (gold, nectar, crystals, diamonds, emeralds, rubys [sic], stardrops). The archive shows extensive development history with multiple backup versions (clans.php has 9+ variants: clans1.php, clansnew.php, clansa.php, clansbackup.php, clans.phpworks, etc.) indicating active iteration during development.

The game participated in MPOGD (Multiplayer Online Games Directory) voting system and had a dedicated staff team. Copyright notices mention both "Remixication Inc." and "Wolf Computer Services, LLC." suggesting possible business partnership or acquisition between 2002-2003.

Archive Characteristics

• Archive Type: Live production server snapshot (includes .phpworks, .phpold, .phpbackup files)
• Folder Structure: Single Dragonsword/ directory with all files
• Total Size: ~4.2 MB
• Documentation Quality: None - no README, INSTALL, or documentation files
• Database: SQL.sql included (34 tables, phpMyAdmin 2.5.6-rc1 dump from May 18, 2004)
• Backup Files: Multiple development iterations preserved (9+ clan.php variants)

---

Overall Statistics

• Total Files: 516 files
• Total Size: ~4.2 MB
• File Breakdown:
• 271 GIF files (~544 KB) - UI graphics, buttons, map images
• 196 PHP files (~1.966 MB) - Game engine scripts
• 15 CSS files (~15 KB) - Stylesheets
• 10 LOG files (~27 KB) - Server/access logs
• 9 JPG files (~159 KB) - Images (dog1.JPG, dog2.JPG, DJcaul.gif, etc.)
• 1 ESS file (1.286 MB) - justleve0000.ess (unknown format, possibly level editor)
• 1 SQL file (32 KB) - Database schema
• 1 BMP file (74 KB) - Bitmap image
• Miscellaneous: .phpo, .phpold, .ph, .php3, .ess, .php(backup) - Development artifacts

Core Files Structure

Primary Scripts:

• index.php - Login page with password recovery
• Clans.php (102.4 KB) - Massive clan management system (2,291 lines)
• Admin.php (56.2 KB) - Administration panel
• check.php - Login validation
• gameconfig.php (132 lines) - Load-balanced database connections (3 connection pools)
• config.php - CRITICAL: Hardcoded credentials

Clan System Files (9+ variants):

• clans1.php, clansnew.php, clansnew2.php, clansi.php, clansa.php
• clansleet.php, newclans.php, clansbackup.php, clans.phpworks
• Indicates extensive development iteration on clan features

Backup/Development Files:

• admin1.php, account1.php - Previous versions
• .phpold, .phpo, *.phpbackup - Development snapshots
• backup.php - Database backup emailer script

Game Features:

• blacksmith.php - Item crafting/upgrading
• chat.php - In-game chat system
• signup.php - User registration
• view.php - Player profile viewer
• active.php, account1.php - Account management
• staff2.php, help2.php, rules2.php, about.php, tos.php - Info pages

File Organization Assessment

Strengths:

• Modular feature separation (clans, blacksmith, chat in separate files)
• Multiple development backups preserved
• Comprehensive game systems (clan diplomacy, ranks, resources)

Weaknesses:

• No directory structure (all 516 files in single folder - organization nightmare)
• Inconsistent naming conventions (clans.php vs clansnew2.php vs clansa.php)
• Development artifacts left in production (backup.php contains credentials)
• Large monolithic files (Clans.php = 2,291 lines, Admin.php = 912+ lines)
• No documentation or installation guide

---

Technology Stack

• Backend: PHP 4.x (uses old short tags <?, not <?php everywhere)
• Database: MySQL 4.0.18 (per SQL.sql header)
• Frontend: HTML 4.0 with tables, inline styles, iframes
• Session Management: Cookie-based (email + password passed on every request)
• Architecture Pattern: Procedural spaghetti code with includes
• Load Balancing: Custom database connection pooling (3 MySQL users)

Database Architecture

Table Count: 34 tables (no prefix system)

Core Tables:

• userdb - Player accounts (email, password in plaintext, level, gold, clan, etc.)
• clans - Clan registry (id, name, owner, level, power/influence)
• clan_mem - Clan membership (userid, clanid, status: Owner/Elite/member)
• clan_app - Clan applications
• clan_dipl - Clan diplomacy (alliances, wars, proposals)
• arm - Armor items (4 slots: barmor, helm, gloves, boots)
• wep - Weapons
• chat_lines - Chat messages with timestamp
• mb - Message board posts
• ban, bans, bannedip - Ban systems
• admintrack - Admin action logging
• usernews - User activity logs (for admin tracking)

Additional Tables (partial list):

• Resource management: gold, nectar, crystals, diamonds, emeralds, rubys, stardrops
• Combat: battleswon, jailtime tracking
• Social: ranks (12 levels: Peasent → Royal), donations, clan_days
• Tracking: active (date "j/m H:i:s"), active2 (realtime YzHis format), ipaddress

Schema Design Quality:

• No foreign key constraints
• MyISAM storage engine (no transactions)
• VARCHAR(9) for user IDs (strange choice)
• Plaintext password storage in userdb table
• Type field empty in arm table INSERT statements
• No normalization for resources (all columns in userdb)

Code Architecture Patterns

1. Load-Balanced Database Connections (gameconfig.php):

      @session_start();
      $selectaccount = rand(1,3);
      if($selectaccount == 1){
      $db = mysql_connect("localhost", "remixi2_thirdlog", "login")
      or mysql_connect("localhost", "remixi2_forthlo", "login")
      or Die("I cannot connect to the database");
      }
      if($selectaccount == 2){
      $db = mysql_connect("localhost", "remixi2_secondar", "login")
      or mysql_connect("localhost", "remixi2_fifthlo", "login")
      or Die("I cannot connect to the database");
      }
      if($selectaccount == 3){
      $db = mysql_connect("localhost", "remixi2_system", "alpha")
      or mysql_connect("localhost", "remixi2_sixthlo", "login")
      or Die("I cannot connect to the database");
      }

• Random selection of 3 connection pools
• Failover chain - tries secondary user if primary fails
• All use password "login" except remixi2_system ("alpha")
• Primitive load distribution (not true load balancing)

2. Authentication Pattern (every page):

      $res = mysql_query("SELECT * FROM userdb WHERE email = '$email'");
      $playerinfo = mysql_fetch_array($res);
      if($playerinfo[password] != $password) { error("password"); }

• Email + password passed via GET/POST on every request
• No SQL injection protection - direct variable interpolation
• Plaintext password comparison in code
• Session tracking via active/active2 timestamp updates

3. Clan System Architecture:

• Massive Clans.php (2,291 lines) handles:
• Clan creation ($5M gold, 2,000 wins, 40 stardrops required)
• Clan diplomacy (proposals, alliances, wars)
• Member management (kick, promote to Elite)
• Donations (gold, nectar, hacks, crystals, diamonds, emeralds, rubys)
• Clan levels and influence (power stat)
• Action-based routing: ?action=view, ?action=buyclan, ?action=viewmem
• Integrated message board per clan (mb table with id=100+clanid)

4. Rank System:

Array-based ranks (12 levels):

      $rankname = array("Peasent", "Valet", "Squire", "Knight", "Lord",
      "Dol", "Earl", "Count", "Thane", "Duke", "Archduke", "Royal");

5. Date/Time Formatting:

• Custom date formats: "j/m H:i:s" (17/5 14:32:05)
• Realtime tracking: "YzHis" (20041381432 - Year + day-of-year + time)
• Latin day names: "Lunae Dies" (Monday), "Martis Dies" (Tuesday), etc.

Security Non-Features

• No prepared statements
• No input sanitization (SQL injection wide open)
• No CSRF tokens
• No password hashing (plaintext in database)
• No HTTPS enforcement
• Admin actions logged but no rate limiting

---

Core Game Loop

DragonSwords follows a clan-centric RPG progression:

1. Character Progression:

• Level-based advancement (tracked in userdb)
• Rank system (12 tiers: Peasent → Royal)
• Equipment system: 4 armor slots (body, helm, gloves, boots) + weapon
• Combat tracking: battleswon counter
• Gold as primary currency

2. Clan System (Primary Feature):

Creating a Clan:

• Requirements:
• 2,000 battles won (demonstrates strength)
• 5,000,000 gold (donation to wizard Ivar)
• 40 Stardrops (magical components)
• Must not be in another clan
• Upon creation:
• Clan ID assigned sequentially
• Owner becomes clan leader
• Auto-creates clan message board (mb table id=100+clanid)
• Clan starts at default level

Clan Features:

• Membership Management:
• Owner can promote to "Elite" status (special permissions)
• Kick members (tracked by clan_days = days in clan)
• View inactive members sorted by last active time
• Application system (clan_app table)
• Clan Diplomacy:
• Alliance proposals between clans
• War declarations
• Diplomatic terms negotiation
• Both clans must confirm (clan1con/clan2con flags)
• Clan Resources:
• Donations: gold, nectar, hacks, crystals, diamonds, emeralds, rubys
• Clan level progression
• Clan power/influence ranking
• Clan Ranking:
• Sort by: Name, ID, Level, Influence
• Member count display
• Owner attribution

3. Resource Economy:

Multiple currency types:

• Gold - Primary currency
• Nectar - Special resource
• Stardrops - Magical components
• Crystals - Standard tier gems
• Diamonds - Mid tier gems
• Emeralds - High tier gems
• Rubys [sic] - Premium gems
• Variants: lcrystal, ldiamond, lemerald, scrystal, sdiamond, semerald, mcrystal, mdiamond, memerald
• (l=light, s=small, m=medium variants)

4. Combat System:

• Battle tracking (battleswon counter)
• Equipment-based defense (arm table: cost, effect values)
• Weapons with attack values (wep table)

5. Blacksmith System:

• Clan brands (special clan-tied equipment)
• Item crafting/upgrading
• Comments in code: "REMIX ROCKS" (developer signature)

6. Social Systems:

• Chat: Real-time chat with iframe integration
• Staff color coding
• Private messaging support
• Special formatting ("remix" text gets styled overline/italics)
• Message Boards: Clan-specific boards + general forums
• Player Profiles: View other players' stats (view.php)
• Staff Team: staff2.php dedicated page
• Jail System: Admin can jail players (jailtime days, jail_by, jail_reason tracked)

7. Admin Features:

• Player management (edit accounts, ban IP addresses)
• Clan monitoring
• Admin action tracking (admintrack table logs all admin commands)
• Database backup via email (backup.php)

Unique Mechanics

• Multi-resource economy with gem tier variants
• Clan diplomacy system with bilateral confirmation requirements
• Elite member status within clans
• Clan message board auto-creation (id offset +100)
• Latin day name conversion for medieval atmosphere
• Load-balanced database connections (unusual for 2001-2004)

---

Key Table Structures

userdb (Player Accounts) - CRITICAL SECURITY FLAW:

      CREATE TABLE <code>userdb</code> (
      <code>id</code> VARCHAR(9) NOT NULL,     -- Strange choice for user ID
      <code>email</code> VARCHAR(...),          -- Username (primary identifier)
      <code>password</code> TEXT,               -- <strong>PLAINTEXT PASSWORD</strong>
      <code>username</code> VARCHAR(...),       -- Display name
      <code>level</code> BIGINT(20),
      <code>gold</code> BIGINT(20),
      <code>clan</code> INT,                    -- Clan ID (0 = no clan)
      <code>clan_days</code> INT,               -- Days in current clan
      <code>clan_gold</code> BIGINT(20),        -- Total donated to clan
      <code>clanleet</code> TINYINT,            -- 1 = Elite status
      <code>rank</code> INT,                    -- 0-11 (Peasent to Royal)
      <code>battleswon</code> INT,
      <code>jailtime</code> INT,                -- Days remaining in jail
      <code>jail_by</code> VARCHAR(...),        -- Admin who jailed
      <code>jail_reason</code> VARCHAR(...),    -- Jail reason
      <code>active</code> VARCHAR(...),         -- "17/5 14:32:05" format
      <code>active2</code> VARCHAR(...),        -- "20041381432" format (YzHis)
      <code>ipaddress</code> VARCHAR(15),       -- Last login IP
      <code>stardrops</code> INT,               -- Magical resource
      <code>donated</code> INT,                 -- Total donations (unlock password change)
      <code>faith</code> INT,                   -- Mysterious stat (multiplier in code)
      -- ... many more fields for resources, stats, equipment
      )

clans (Clan Registry):

      CREATE TABLE <code>clans</code> (
      <code>id</code> SMALLINT(6) AUTO_INCREMENT,
      <code>name</code> VARCHAR(65),
      <code>owner</code> MEDIUMINT(9),          -- User ID of owner
      <code>level</code> BIGINT(20),
      <code>power</code> BIGINT(20),            -- Influence/ranking stat
      -- Likely more fields not visible in partial dump
      PRIMARY KEY (<code>id</code>)
      )

clan_dipl (Diplomacy System):

      CREATE TABLE <code>clan_dipl</code> (
      <code>clan1</code> INT(7),
      <code>clan2</code> INT(7),
      <code>type</code> VARCHAR(100),           -- Current relationship
      <code>proptype</code> VARCHAR(100),       -- Proposed relationship
      <code>clan1con</code> CHAR(1) DEFAULT 'N', -- Clan 1 confirmed?
      <code>clan2con</code> CHAR(1) DEFAULT 'N', -- Clan 2 confirmed?
      <code>terms</code> TEXT                    -- Negotiated terms
      )

• No primary key (can have duplicate proposals)
• Bilateral confirmation required (both 'Y' to activate)

clan_mem (Membership):

      CREATE TABLE <code>clan_mem</code> (
      <code>id</code> SMALLINT(6) AUTO_INCREMENT,
      <code>clanid</code> SMALLINT(6),
      <code>username</code> VARCHAR(50),
      <code>userid</code> MEDIUMINT(9),
      <code>status</code> VARCHAR(15) DEFAULT 'member', -- 'Owner', 'Elite', 'member'
      PRIMARY KEY (<code>id</code>)
      )

arm (Armor Items):

      CREATE TABLE <code>arm</code> (
      <code>id</code> MEDIUMINT(9) AUTO_INCREMENT,
      <code>type</code> VARCHAR(15),            -- Empty in all INSERT statements
      <code>name</code> VARCHAR(65),
      <code>iclass</code> VARCHAR(15),          -- 'barmor', 'helm', 'gloves', 'boots'
      <code>cost</code> BIGINT(20),
      <code>effect</code> BIGINT(20),           -- Defense bonus
      PRIMARY KEY (<code>id</code>)
      )

• 20 items total: Rags (1 def, 1K gold) → Shadow Plate (75 def, 500K gold)
• 4 equipment slots: body armor, helm, gloves, boots

chat_lines (Chat System):

      CREATE TABLE <code>chat_lines</code> (
      <code>id</code> INT(9) AUTO_INCREMENT,
      <code>userid</code> VARCHAR(9),
      <code>username</code> VARCHAR(100),
      <code>message</code> TEXT,
      <code>timesent</code> DATETIME,
      <code>staff</code> VARCHAR(15),           -- Staff color/status
      <code>private</code> VARCHAR(15),         -- Private message target
      PRIMARY KEY (<code>id</code>)
      )

admintrack (Admin Audit Log):

      CREATE TABLE <code>admintrack</code> (
      <code>time</code> INT(11),
      <code>admin</code> INT(10),               -- Admin user ID
      <code>msg</code> TINYTEXT                 -- Action description
      )

• No primary key (append-only log)

bannedip (IP Bans):

      CREATE TABLE <code>bannedip</code> (
      <code>id</code> INT(11) AUTO_INCREMENT,
      <code>ipaddress</code> VARCHAR(15),
      <code>reason</code> VARCHAR(100),
      PRIMARY KEY (<code>id</code>)
      )

Data Integrity Issues

• VARCHAR(9) for user IDs (inconsistent with MEDIUMINT elsewhere)
• No foreign key constraints (manual JOIN integrity)
• Duplicate ban tables (ban, bans, bannedip - unclear distinction)
• Empty type field in arm table across all inserts
• DATETIME fields for chat but VARCHAR for user activity tracking
• No indexes beyond primary keys (performance issues on large datasets)

---

Strengths

1. Complex Feature Set:

• Sophisticated clan diplomacy system with bilateral confirmation
• Multi-tier resource economy
• Load-balanced database connections (advanced for 2001-2004)
• Admin audit logging (admintrack)
• IP-based ban system

2. Active Development History:

• 9+ versions of clans.php showing iterative refinement
• Backup files preserved (development archaeology possible)
• Comments like "REMIX ROCKS" show personality
• Multiple copyright updates (2001→2003→2004)

3. Social Features:

• Integrated chat with staff colors
• Clan-specific message boards
• Player profile viewing
• Jail system with reason tracking

Weaknesses

1. CRITICAL SECURITY VULNERABILITIES:

a) Multiple Hardcoded Credentials (CVSS 10.0 CRITICAL):

config.php:

      $db = mysql_connect("localhost", "remixi2_system", "alpha") or Die("Cant connect");
      mysql_select_db("remixi2_game") or Die(" Config - DB Error !");

gameconfig.php:

      // 6 different MySQL accounts with 2 passwords:
      "remixi2_thirdlog" / "login"
      "remixi2_forthlo" / "login"
      "remixi2_secondar" / "login"
      "remixi2_fifthlo" / "login"
      "remixi2_system" / "alpha"
      "remixi2_sixthlo" / "login"

backup.php:

      $dbuser = 'remixi2_thirdlog'; // Publicly visible
      $dbname = 'remixi2_gamedatabase';

Impact:

• 6 hardcoded database accounts in source code
• Password "login" used for 5 accounts
• Password "alpha" used for system account
• Database name "remixi2_game" exposed
• Anyone with code access has full database control
• CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H = 10.0 CRITICAL

b) Plaintext Password Storage (CVSS 9.8 CRITICAL):

      // index.php lines 60-66
      $userinfo = mysql_fetch_array($select);
      if ($userinfo) {
      $message = "You appear to have lost your password.nnPassword: $userinfo[password]";
      mail($email,"Lost password for DragonSword account: $userinfo[username]",$message,$headers);
      }

• Passwords stored in plaintext in userdb table
• Emailed in cleartext via "lost password" feature
• No hashing (md5, bcrypt, etc.)
• CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8 CRITICAL

c) SQL Injection Everywhere (CVSS 9.8 CRITICAL):

      // gameconfig.php line 15
      $res = mysql_query("SELECT * FROM userdb WHERE email = '$email'");
      // index.php line 60
      $select = mysql_query("select * from userdb where email='$email'");
      // Clans.php - hundreds of unparameterized queries
      mysql_query("select * from clans where id > '0' order by $arr desc");

• Zero parameterized queries across entire codebase
• Direct variable interpolation in SQL
• No addslashes() or mysql_real_escape_string()
• User-controlled ORDER BY ($arr variable)
• CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8 CRITICAL

d) Reflected XSS (HIGH - CVSS 7.1):

      // index.php line 26
      <? if ($ref) {echo "?ref=$ref";}?>
      // No htmlspecialchars() on user input
      echo "Information emailed.";  // After database query with user input

• No output encoding
• User input directly echoed to page
• CVSS 3.1: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N = 7.1 HIGH

e) Authentication Bypass Potential (CRITICAL - CVSS 9.1):

      // Clans.php line 130
      if ($action == buyclany && $playerinfo[id] == "55") {
      // Create clan logic - hardcoded user ID check
      }

• Auth check compares string vs array value (type juggling)
• Password passed on every request via GET/POST (interception risk)
• No session management (cookies only, easily forged)
• CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L = 9.1 CRITICAL

2. Code Architecture Disasters:

Spaghetti Code:

• 2,291-line Clans.php (single monolithic file)
• No functions or classes - everything in global scope
• Nested if/elseif chains hundreds of lines deep
• Action routing via string comparison (no framework)

No File Organization:

• All 516 files in single directory
• No separation of concerns (MVC, modules, etc.)
• Mix of production, backup, and development files

Inconsistent Development:

• 9 versions of clans.php left in production
• .phpold, .phpb, .php(backup) files scattered
• Typos in data: "Peasent", "rubys", "helmut" (Space Helmut)

Magic Numbers Everywhere:

• Hardcoded user ID checks: if ($playerinfo[id] == "55")
• Clan board ID offset: $mbid = 100+$newclanid;
• Game logic parameters scattered in code (5M gold, 2K wins, 40 stardrops)

3. Database Misuse:

• No foreign keys - orphaned records possible
• No transactions - MyISAM engine lacks ACID compliance
• VARCHAR(9) for IDs - type inconsistency
• Duplicate tables - ban, bans, bannedip (unclear purpose)

4. Missing Best Practices:

• No error handling - Die() with error messages exposes SQL structure
• No input validation - numeric fields accept any string
• No rate limiting - clan creation, chat, admin actions unthrottled
• No HTTPS - plaintext passwords transmitted over network
• No backups - backup.php emails SQL dumps (security risk)
• No version control - .php1, .php2, .phpbackup indicates no Git

Code Style

• Readability: Poor - 2000+ line files, no structure
• Consistency: Terrible - mix of coding styles, random spacing
• Documentation: None - zero comments except "REMIX ROCKS"
• Error Handling: Dangerous - exposes database structure in errors
• DRY Principle: Violated constantly - copy-paste code everywhere

---

Deployment Feasibility: ABSOLUTELY IMPOSSIBLE

Fatal Blockers:

• Multiple hardcoded credentials in public source code - database compromise instant
• Plaintext password storage - violates every compliance standard
• SQL injection on every endpoint - complete database takeover trivial
• PHP 4.x code - Incompatible with PHP 7.0+ (removed features)
• mysql_* functions removed - All database code non-functional
• Zero security measures - No input sanitization anywhere

Technical Debt Score: 10/10 (Maximum Possible)

This is the worst code quality I've seen in this collection. Even for 2001-2004 standards, this was negligent.

Why Maximum Score:

• Hardcoded production credentials in 3 separate files
• Plaintext passwords emailed to users
• Not a single parameterized query in 196 PHP files
• 516 files in one directory (organizational chaos)
• 9 backup versions of same file left in production
• Type juggling authentication bugs
• 2,291-line monolithic files

Modernization Effort Required:

This codebase is not salvageable. Modernization would mean:

• Complete rewrite from scratch: 1,000+ hours
• Database schema redesign: 80 hours
• Security audit and fixes: IMPOSSIBLE (too many vulnerabilities)
• UI/UX redesign: 200 hours
• Testing: 400 hours
• TOTAL: 1,680+ hours (~10 months full-time)

Estimated Cost: $126,000 - $252,000 USD (contractor @ $75-150/hr)

Verdict: Not worth saving. Start fresh with modern framework.

Historical Value: MODERATE

Preservation Worthiness: 5/10

Why Preserve:

• Example of 2001-2004 web RPG development
• Shows evolution of clan systems in web games
• Load-balanced connection code (unusual for era)
• Latin day names show attention to theme

Why Not Preserve:

• Security negligence demonstrates what NOT to do
• No unique gameplay innovations
• Spaghetti code offers no educational value
• Multiple better examples exist (Phaos, Vallheru)

Archival Recommendations:

• DO NOT publish source code (contains production credentials)
• Redact all credentials before any archival
• Create write-up of clan diplomacy system design (only unique aspect)
• Screenshots of UI for visual history
• Warn future researchers: This is anti-pattern showcase

Comparative Analysis

Similar Games:

• Phaos - Better code quality, more features
• Vallheru - Similar clan focus, cleaner implementation
• MC Codes - Framework approach vs spaghetti
• Mafia Wars - Similar resource economy

DragonSwords' Position:

• More complex clan system than most
• Worse code quality than all contemporaries
• Multiple hardcoded credentials (unique failure)
• Load balancing attempt (interesting, poorly executed)

Unique "Features":

• 6 hardcoded database accounts (record for this collection)
• 9 backup PHP files left in production (development artifacts)
• Plaintext passwords emailed (security disaster)
• String-based user ID (VARCHAR(9) - bizarre choice)

---

Vulnerability Summary

Detailed Exploit Scenarios

1. Database Credential Exploitation:

Attack Vector: Source code disclosure (common in 2004 - no .htaccess protection)

Steps:

• Attacker downloads config.php or gameconfig.php
• Discovers 6 hardcoded accounts:
• remixi2_system / alpha
• remixi2_thirdlog / login
• remixi2_secondar / login

(+ 3 more failover accounts)

• Connects to MySQL from external server (if 3306 exposed)
• OR uses SQL injection to execute:

SELECT * INTO OUTFILE '/tmp/dump.txt' FROM userdb

• Full database access, extract all plaintext passwords
• Login as any user including admins
• Modify game data, steal user information, deface website

Time to Exploit: <5 minutes

Mitigation: Literally none - credentials hardcoded

2. SQL Injection Mass Account Theft:

Attack Vector: Email parameter in login

Payload: email=' OR '1'='1' --

Steps:

• POST to check.php with:

email=' OR '1'='1' --

password=anything

• SQL becomes: SELECT * FROM userdb WHERE email='' OR '1'='1' --'
• Returns all users (first row = admin account)
• Login granted as administrator
• Access Admin.php with full privileges
• Extract entire userdb table (all plaintext passwords)
• Email passwords to self via lost password feature
• Account takeover of entire game population

Time to Exploit: 30 seconds

Mitigation: None - no input sanitization exists

3. Plaintext Password Email Interception:

Attack Vector: Man-in-the-Middle (no HTTPS)

Steps:

• Victim uses "Lost Password" feature on index.php
• Email sent in cleartext via SMTP (no TLS in 2004)
• Attacker intercepts network traffic
• Email contains: "Password: [PLAINTEXT]"
• Login as victim
• If victim is clan owner, steal clan resources
• If victim is admin, compromise entire game

Time to Exploit: Dependent on network position (minutes to hours)

Mitigation: None - plaintext passwords stored in database

4. XSS-Based Session Hijacking:

Attack Vector: Reflected XSS in ref parameter

Payload: ref=

Steps:

• Craft malicious signup link:

https://dsrpg.com/signup.php?ref=

• Send to victim (e.g., "Join my clan!" in chat)
• Victim clicks link
• Script executes, sends email/password cookies to attacker
• Attacker logs in as victim
• Repeat for admin accounts

Time to Exploit: Social engineering dependent (hours to days)

Mitigation: None - no output encoding

5. Authentication Type Juggling:

Attack Vector: Loose type comparison in clan creation

Code: if ($playerinfo[id] == "55")

Exploit:

• Attacker registers account
• SQL injection to set their id to string "55" or boolean true
• Type juggling: PHP compares loosely
• $playerinfo[id] (array access) vs "55" (string)
• Potential bypass if id manipulated to match
• Create clan for free, skip requirements

Time to Exploit: 10 minutes (requires SQL injection first)

Mitigation: None - loose comparison throughout codebase

Security Posture Score: 0/10 (Catastrophic)

Why 0/10:

• 6 hardcoded credentials - Unprecedented in this collection
• Plaintext passwords emailed - Actively promotes insecurity
• Zero input sanitization - Not even attempted
• No security awareness - Comments show no concern
• Production credentials in backups - Left in public webroot

Comparison to Other Games:

• dark_step: Had 1 hardcoded password (bad) - DragonSwords has 6 (catastrophic)
• devana: Had empty password (fixable) - DragonSwords has plaintext storage (unfixable)
• dirty_life: Had no code (0 bytes) - DragonSwords has anti-pattern code (worse than nothing)

Compliance Assessment

OWASP Top 10 (2004 Edition) Violations:

• A1 - Unvalidated Input (SQL injection everywhere)
• A2 - Broken Access Control (type juggling auth)
• A3 - Broken Authentication (plaintext passwords)
• A4 - Cross-Site Scripting (no output encoding)
• A5 - Buffer Overflows (not applicable to PHP)
• A6 - Injection Flaws (SQL injection)
• A7 - Improper Error Handling (SQL errors exposed)
• A8 - Insecure Storage (plaintext passwords)
• A9 - Denial of Service (no rate limiting)
• A10 - Insecure Configuration (hardcoded credentials)

Result: 10/10 OWASP Top 10 violations (perfect failure score)

PCI-DSS Compliance: CATASTROPHIC FAIL (if any payment processing)

GDPR Compliance: ILLEGAL (plaintext password storage violates Article 32)

COPPA Compliance: ⚠️ UNKNOWN (no age verification visible)

HIPAA Compliance: N/A (not healthcare, but would fail every control)

Legal Liability:

If this game was operating in 2025:

• GDPR fines: Up to €20M or 4% global revenue (whichever higher)
• Data breach notification: Required within 72 hours of discovery
• User lawsuits: Class action for negligent security practices
• Criminal charges: Possible for grossly negligent data handling

---

Innovation Score: 4/10

Novel Features (for 2001-2004):

• Bilateral Clan Diplomacy (+1.5) - Alliance/war proposals with dual confirmation (clan1con/clan2con) was sophisticated for era
• Load-Balanced Connections (+1.0) - Random connection pooling (primitive but innovative for 2001)
• Multi-Tier Resource Economy (+0.5) - Gems with light/small/medium variants shows complexity
• Clan Message Board Auto-Creation (+0.5) - Dynamic board generation (id=100+clanid) was clever
• Elite Member Status (+0.5) - Hierarchy within clans (Owner/Elite/member) added social depth

Derivative Elements:

• Level/rank progression: Standard RPG fare
• Equipment slots: 4 armor + weapon (basic)
• Chat system: Common feature
• Jail system: Copied from other games
• Gold economy: Universal in web RPGs

Poorly Executed Ideas:

• Load balancing: Random selection (not true load distribution)
• Multiple gem tiers: No clear gameplay purpose for l/s/m variants
• 9 clan.php versions: Shows development chaos, not iteration

Missed Opportunities:

• No PvP combat despite clan wars
• No territory control or clan bases
• No crafting depth (blacksmith underutilized)
• No quests or storyline
• Latin day names unused in gameplay

Gameplay Quality: 3/10

Strengths:

• Deep clan system with diplomacy
• 12-tier rank progression (Peasent → Royal)
• Multiple resource types create economic complexity
• Elite status provides clan hierarchy

Weaknesses:

• No clear gameplay loop - What do you do besides join clans?
• Grind-focused - 2,000 battles for clan creation
• Resource bloat - Too many gem types (l/s/m variants pointless)
• Equipment progression shallow - 20 armor items, linear cost scaling
• No endgame - Clan creation is goal, then what?
• Social features underdeveloped - Chat exists but no community building

User Experience: 2/10

Positive Aspects:

• Clan diplomacy system provides strategic depth
• Staff team available (staff2.php page)
• Player profiles for social discovery

Negative Aspects:

• 516 files = slow page loads (no optimization)
• Iframes for chat (clunky 2004 UI pattern)
• No visual feedback - All text-based
• Table-based layout (not even CSS properly used)
• Typos everywhere - "Peasent", "Helmut", "rubys", "otheriwse"
• Confusing navigation - No clear menu structure visible
• Lost password emails plaintext - Terrible UX security-wise

Long-Term Engagement Potential: 2/10

Retention Factors:

• Clan loyalty might keep players (social bonds)
• Diplomacy system provides strategic metagame
• Rank progression to Royal (12 levels)

Churn Factors:

• Massive grind (5M gold, 2K wins for clan)
• No clear activities beyond leveling and clan drama
• Security concerns (plaintext passwords would scare aware users)
• Unclear mechanics (what are stardrops? what does faith do?)
• No content updates (2004 snapshot = stagnant)

Cultural Impact: 3/10

DragonSwords appears to have been a small community game:

• MPOGD voting mentioned (Multiplayer Online Games Directory)
• Remixication Inc. not found in other game archives
• No lasting influence - Code not reused or forked (thank goodness)
• Clan diplomacy may have inspired later games

Why Low Impact:

• No evidence of large player base
• No forum discussions found in modern web searches
• Copyright limited to dsrpg.com/.co.uk (single game, not company)
• Security disaster likely killed game early (data breach?)

---

For Historians/Archivists

Preservation Strategy:

⚠️ CRITICAL WARNING: This archive contains production database credentials. Do NOT publish without redaction.

Recommended Actions:

• Redact Credentials:
• config.php lines 3-4 (remixi2_system/alpha)
• gameconfig.php lines 5-7 (all 6 accounts/passwords)
• backup.php lines 7-9 (database access)
• Archive Selectively:
• Clans.php + diplomacy system (unique feature)
• SQL schema (clan tables interesting)
• Screenshots of UI (if any exist)
• Document as Anti-Pattern:
• Create "What Not To Do" tutorial
• Use as security education example
• Highlight hardcoded credentials as #1 sin
• Attempt Contact:
• This email address is being protected from spambots. You need JavaScript enabled to view it. (likely dead)
• Search for "Remixication Inc." survivors
• MPOGD archives might have community discussions

Historical Value: 5/10 - Interesting diplomacy system, terrible implementation

For Developers

⛔ DO NOT ATTEMPT TO RUN OR MODERNIZE ⛔

Why This Code is Beyond Saving:

• 6 hardcoded production credentials - Ethics violation to deploy
• Plaintext passwords - Illegal in many jurisdictions (GDPR)
• 100% vulnerable to SQL injection - Every query needs rewriting
• No framework or structure - Rewrite would be faster than refactor
• 2,291-line monolithic files - Untestable, unmaintainable

If You Must Learn From It:

• Study the clan diplomacy system design (not code)
• Analyze the bilateral confirmation pattern
• Note the load-balancing attempt (concept only)
• Use security flaws as teaching examples

Modern Equivalent Tech Stack:

DO NOT CLONE THIS GAME. If building clan-based RPG:

• Backend: Laravel 10 (PHP 8.2) - Framework enforces best practices
• Database: PostgreSQL - ACID compliance, better data types
• Auth: Laravel Sanctum - bcrypt, 2FA, CSRF protection built-in
• API: RESTful with Passport - Separate frontend/backend
• Frontend: Vue.js 3 - Reactive UI, no page reloads
• Deployment: Docker + AWS - Secrets Manager for credentials (NEVER in code)

Estimated Rewrite Effort:

• Core RPG engine: 200 hours
• Clan diplomacy system: 120 hours
• Multi-resource economy: 80 hours
• Social features (chat, profiles): 60 hours
• Admin panel: 40 hours
• Security audit: 80 hours
• Testing: 150 hours
• TOTAL: 730 hours (~18 weeks)
• COST: $54,750 - $109,500 USD

ROI: NEGATIVE - Niche game, no monetization visible, 2004 audience gone

For Players

⛔ DO NOT ATTEMPT TO PLAY ⛔

Why This Game is Dangerous:

• Your password stored in plaintext - Admin can read it
• SQL injection - Hackers can steal all accounts
• No HTTPS - Passwords transmitted over internet in cleartext
• Hardcoded credentials - Database likely compromised
• XSS vulnerabilities - Malicious users can hijack your session

If You Want Clan-Based Web RPG in 2025:

• Clan Wars (clw.se) - Modern, maintained, secure
• Tribal Wars - Active community, mobile support
• Torn City - Crime RPG with factions
• OGame - Space strategy with alliances
• Shattered Pixel Dungeon - Solo dungeon crawler (if you want safe nostalgia)

Nostalgia Viewing Only:

• Set up PHP 5.6 Docker container (ISOLATED NETWORK)
• Redact all credentials in config files
• Run localhost ONLY (never expose to internet)
• Use fake data (never real passwords)

For Collectors

Archival Value: ⭐⭐☆☆☆ (2/5)

Why Worth Keeping:

• Bilateral clan diplomacy system (interesting design)
• Load-balancing attempt (historical curiosity)
• Example of 2001-2004 security negligence
• MPOGD era community game documentation

Why Low Value:

• Code quality catastrophic (no educational value as positive example)
• Security disasters make it dangerous to study
• No unique gameplay innovations
• Small game (not culturally significant)
• Multiple hardcoded credentials = ethics issue

Rareness: ⭐⭐⭐☆☆ (3/5)

• Likely private game (dsrpg.com offline)
• No evidence of other copies
• Remixication Inc. obscure
• But: Generic mechanics, not historically important

Overall Assessment

Final Verdict

Summary: DragonSwords is a catastrophic security disaster masquerading as a clan-based RPG. While the bilateral diplomacy system shows some design thoughtfulness, the implementation is so fundamentally broken that it represents a danger rather than a resource. With 6 hardcoded production credentials, plaintext password storage, and zero input sanitization across 196 PHP files, this codebase violates every security principle established even by 2001 standards.

Best Use Cases in 2025:

• Security education - "What NOT to do" teaching example
• Historical documentation - Preserve diplomacy system design (not code)
• ⚠️ Code archaeology - Study development chaos (9 backup files)
• NOT for deployment - Criminally negligent security
• NOT for learning to code - Anti-patterns throughout
• NOT for playing - Actively dangerous to users

Historical Legacy: DragonSwords will be remembered, if at all, as an example of how not to build secure web applications. The presence of 6 hardcoded production credentials in publicly-readable source code is a record-setting failure in this collection of 79 games. The bilateral clan diplomacy system deserves a footnote as an interesting design pattern, but the implementation negligence overshadows any innovation.

Preservation Priority: MEDIUM - Preserve design concepts only, redact all credentials, warn future researchers of security nightmares.

Epitaph: "A cautionary tale of what happens when ambition exceeds security awareness. The clan system showed promise; the execution showed recklessness."

---

Analysis Completed: December 2025

Confidence Level: 98% (complete source review, all credentials documented, SQL schema analyzed)

Recommended Action: ARCHIVE WITH REDACTION - Remove all credentials before any public preservation

Security Warning: ⚠️ DO NOT RUN - Multiple critical vulnerabilities make deployment criminally negligent

Next Game in Collection: dragon_sword_2_rpg (20/79 complete - 25.3%)