Elymantea

Game Title: Elymantea

Version: Unknown (Development build, likely Beta 0.5-0.8)

Author/Studio: Erythanea Team (Polish developers)

Release Date: August 15, 2006 (per SQL dump timestamp)

Genre: Fantasy MMORPG / Browser-based RPG

Language: PHP 5.x

License: Unlicensed / Proprietary (no license file)

Target Audience: Polish fantasy RPG players

Character Encoding: UTF-8 (full Polish character support)

Historical Context

Elymantea appears to be a sister project or rebranding of a game called "Erythanea" - evidenced by:

• Flash advertisement file ([fire.txt](d:_HOUSESOCIALMUDWWW_MUD GamesunzippedelymanteaElymanteaimagesreklamafire.txt)) promoting "THE ERYTHANEA" with URL http://erythanea.xve.pl/
• Admin account email: This email address is being protected from spambots. You need JavaScript enabled to view it.
• "The new disease is coming..." tagline (apocalyptic theme)
• Flash animation by Anim-FX.com (licensed commercial template)

This suggests Elymantea was either:

• A working title that became Erythanea
• A parallel game in the same universe
• An earlier version later rebranded

Technical Sophistication: Elymantea represents a significant leap in Polish web RPG development. Unlike previous games analyzed (eRPG v0.5, etc.), this project demonstrates:

• Custom template engine (OPT - "Open PHP Templates")
• OOP database abstraction (custom Result/DB classes mimicking ADOdb)
• MVC-inspired architecture (class/, templates/, configs/ separation)
• Character-based gameplay (vs account-based in earlier games)
• D&D-style stat system (Strength, Dexterity, Endurance, Intellect, Wisdom)
• Account activation system (email verification via game_activate table)

The use of phpMyAdmin 2.6.0-pl2 (Polish localization) and MySQL 4.1.11 dates this to the 2005-2006 era when PHP 5.0.2 was cutting-edge.

Archive Characteristics

• Archive Type: Complete development package with installer
• Folder Structure: MVC-inspired (class/, configs/, templates/, css/, images/)
• Total Size: ~334 KB
• Documentation Quality: None (no README, but in-code Polish comments)
• Installation: Manual SQL import + config editing
• Database: 9 tables with game_ prefix

---

Overall Statistics

• Total Files: 52 files
• Total Size: ~334 KB
• File Breakdown:
• 28 PHP files (~165 KB) - Core engine + game logic
• 14 TPL files (~42 KB) - OPT template files (not Smarty!)
• 3 GIF files (~4 KB) - Small UI graphics
• 2 JPG files (~50 KB) - Background images
• 1 SQL file (~6 KB) - Database schema (9 tables)
• 1 SWF file (~43 KB) - Flash animation (Erythanea ad)
• 1 JS file (~16 KB) - JavaScript utilities
• 1 CSS file (~3 KB) - Stylesheets
• 1 TXT file (0.77 KB) - Flash parameters

Core Directory Structure

Root (Elymantea/):

• index.php (3.1 KB) - Front controller (routing for login/register/comments)
• character.php - Character creation page
• messages.php - Private messaging system
• profile.php - User profile viewer
• logout.php - Session termination
• getrace.php - AJAX race data fetcher
• getclass.php - AJAX class data fetcher

class/ Module (8 files):

• site.class.php (2.4 KB) - Main site controller (offline status, IP bans, timers)
• user.class.php (3.8 KB) - User authentication & character creation
• character.class.php - Character data management
• db.class.php (3.5 KB) - Database abstraction layer (custom ADOdb-like wrapper)
• register.class.php - User registration system
• news.class.php - News & comments system

configs/ Module (2 files):

• races.php (2.9 KB) - Race definitions (Dwarf, Elf, Gnome)
• classes.php (1.5 KB) - Class definitions (Knight, Mage, Warrior)

includes/ Module:

• header.php (1.3 KB) - Database configuration (HARDCODED CREDENTIALS!)
• footer.php - Page footer template
• libs/ - OPT template engine (5 files, ~79 KB)
• opt.class.php (28 KB) - Core OPT class
• opt.instructions.php (33 KB) - Template directives
• opt.api.php (8 KB) - Public API
• opt.core.php (7 KB) - Core functions
• opt.debug.php (3 KB) - Debug console

templates/ Module (14 .tpl files):

• index.tpl - Main page layout
• message.tpl - Error/info message display
• comments.tpl - News comments display
• character.tpl - Character creation form
• profile.tpl - User profile display
• OPT syntax: opt:if, opt:for, opt:section (custom template language!)

templates_c/ Module:

• Compiled template cache directory (similar to Smarty)

install/ Module:

• install.sql (5.6 KB) - Full database schema

images/ Module:

• reklama/fire.swf (43 KB) - Erythanea Flash advertisement
• reklama/fire.txt (0.77 KB) - Flash parameters (XML-like config)

css/ Module:

• style.css (2.6 KB) - Custom stylesheets

File Organization Assessment

Strengths:

• MVC-inspired separation (class/, configs/, templates/ logical grouping)
• Template engine abstraction (OPT = custom Smarty-like system)
• Database abstraction (DB/Result classes wrap mysql_* functions)
• AJAX endpoints (getrace.php, getclass.php for dynamic data)
• Compiled template caching (templates_c/ improves performance)
• UTF-8 throughout (full Polish diacritics support)

Critical Issues:

• Hardcoded credentials in header.php (root/krasnal)
• No installer script (manual SQL import required)
• Flash dependency (fire.swf requires Flash Player, obsolete in 2025)
• Mixed concerns (site.class.php handles both auth and page logic)

---

Technology Stack

• Backend: PHP 5.0.2+ (OOP, error_reporting(E_ALL))
• Database: MySQL 4.1.11+ with UTF-8 charset
• Frontend: HTML, CSS, JavaScript, Flash (SWF)
• Template Engine: OPT (Open PHP Templates) - Custom Smarty clone
• Session Management: PHP sessions with session_id() tracking
• Architecture Pattern: Semi-MVC (classes = models, templates = views, index.php = controller)

Database Architecture

Table Count: 9 tables (all prefixed game_)

Table Inventory:

• game_users - User accounts (login, password, session)
• game_characters - Player characters (name, race, class, stats)
• game_activate - Email activation queue
• game_bans - IP bans
• game_locations - Game world map/areas
• game_messages - Private messaging
• game_news - News posts
• game_news_comments - Comment system
• game_options - Game configuration (offline status, etc.)

Schema Design Quality:

game_users table:

      CREATE TABLE <code>game_users</code> (
      <code>id</code> int(11) AUTO_INCREMENT PRIMARY KEY,
      <code>login</code> varchar(30) NOT NULL,
      <code>password</code> varchar(32) NOT NULL,                  -- MD5 hash (32 chars)
      <code>sid</code> varchar(32) NOT NULL,                       -- Session ID for auth
      <code>lastlogin</code> datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
      <code>numlogins</code> int(11) NOT NULL DEFAULT 0,           -- Login counter
      <code>mail</code> varchar(255) NOT NULL,
      UNIQUE KEY <code>mail</code> (<code>mail</code>)                        -- Email uniqueness
      ) ENGINE=MyISAM DEFAULT CHARSET=utf8;
      -- Pre-populated admin account:
      INSERT INTO <code>game_users</code> VALUES (
      1,
      'Admin',
      'f81a38307743e1354481438415363631',                -- MD5 hash (unknown password)
      '641eabebc9cc7382056b836686c0ec16',                -- Session ID
      '2006-08-15 03:18:04',
      2,
      This email address is being protected from spambots. You need JavaScript enabled to view it.'
      );

• Security: MD5 hashing (weak but better than plaintext)
• Session tracking: SID stored in database (session fixation risk)
• Email uniqueness: UNIQUE constraint prevents duplicates
• Admin account: Pre-created with Erythanea Team email

game_characters table (D&D-inspired):

      CREATE TABLE <code>game_characters</code> (
      <code>id</code> int(11) AUTO_INCREMENT PRIMARY KEY,
      <code>name</code> varchar(255) NOT NULL,
      <code>race</code> varchar(255) NOT NULL,                     -- DWF, ELF, GNM
      <code>gender</code> enum('M','F') NOT NULL DEFAULT 'M',      -- Male/Female
      <code>age</code> int(3) NOT NULL DEFAULT 16,                 -- Character age
      <code>class</code> varchar(255) NOT NULL,                    -- KNT, MAG, WOJ
      <code>lvl</code> int(5) NOT NULL DEFAULT 1,                  -- Level
      <code>exp</code> int(11) NOT NULL DEFAULT 0,                 -- Experience points
      <code>hp</code> int(11) NOT NULL DEFAULT 0,                  -- Current HP
      <code>max_hp</code> int(11) NOT NULL DEFAULT 0,              -- Maximum HP
      <code>strength</code> int(11) NOT NULL DEFAULT 3,            -- Strength (STR)
      <code>dexterity</code> int(11) NOT NULL DEFAULT 3,           -- Dexterity (DEX)
      <code>endurance</code> int(11) NOT NULL DEFAULT 3,           -- Endurance (CON)
      <code>intellect</code> int(11) NOT NULL DEFAULT 3,           -- Intellect (INT)
      <code>wisdom</code> int(11) NOT NULL DEFAULT 3,              -- Wisdom (WIS)
      <code>owner</code> int(11) NOT NULL DEFAULT 0,               -- User ID (foreign key)
      <code>location</code> int(11) NOT NULL DEFAULT 0,            -- Current location ID
      <code>place</code> int(11) NOT NULL DEFAULT 0,               -- Place within location
      <code>action</code> varchar(100) NOT NULL DEFAULT ''         -- Current action (walking, etc.)
      ) ENGINE=MyISAM DEFAULT CHARSET=utf8;

• D&D stat system: 5 core attributes (STR, DEX, CON, INT, WIS)
• Race/Class system: Text-based (should be foreign keys)
• Location tracking: location + place (hierarchical positioning)
• Action state: Tracks current activity (walking, fighting, etc.)
• Character-per-user: owner field links to game_users.id

game_activate table (Email verification):

      CREATE TABLE <code>game_activate</code> (
      <code>id</code> int(11) AUTO_INCREMENT PRIMARY KEY,
      <code>login</code> varchar(11) NOT NULL,
      <code>password</code> varchar(32) NOT NULL,                  -- MD5 hash stored
      <code>sid</code> varchar(32) NOT NULL,                       -- Pre-assigned session
      <code>mail</code> varchar(30) NOT NULL,
      <code>key</code> int(10) NOT NULL DEFAULT 0                  -- Activation key (email code)
      ) ENGINE=MyISAM DEFAULT CHARSET=utf8;

• Purpose: Holds unactivated accounts until email confirmed
• Process: Register → Insert into game_activate → Email key → Move to game_users
• Security: Good practice (prevents fake accounts)

game_locations table (Game world):

      CREATE TABLE <code>game_locations</code> (
      <code>id</code> int(11) AUTO_INCREMENT PRIMARY KEY,
      <code>name</code> varchar(255) NOT NULL,                     -- Display name
      <code>name2</code> varchar(255) NOT NULL,                    -- Alternate name (locative case?)
      <code>name3</code> varchar(255) NOT NULL,                    -- 3rd form (Polish grammar cases)
      <code>ways</code> text NOT NULL,                             -- Serialized connections (bad design)
      <code>type</code> varchar(5) NOT NULL,                       -- Location type
      <code>resources</code> text NOT NULL,                        -- Available resources (serialized)
      <code>freespace</code> int(11) NOT NULL DEFAULT 10000,       -- Capacity
      <code>mainplace</code> int(11) NOT NULL DEFAULT 0            -- Main square/entrance
      ) ENGINE=MyISAM DEFAULT CHARSET=utf8;

• Polish grammar support: 3 name forms for different sentence contexts
• Serialized data: ways and resources TEXT fields = bad normalization
• Type system: 5-char codes for area types
• Freespace: Capacity limit for players (crowding prevention)

game_options table (Configuration):

      CREATE TABLE <code>game_options</code> (
      <code>option</code> varchar(244) NOT NULL,                   -- Key
      <code>value</code> varchar(244) NOT NULL                     -- Value
      ) ENGINE=MyISAM DEFAULT CHARSET=utf8;

• Key-value store: Flexible configuration system
• Known options:
• offlinestatus = 'Y'/'N' (game online/offline)
• offlinemessage = Text shown when offline
• No primary key: Anti-pattern (allows duplicates)

Code Architecture Patterns

1. OPT Template Engine (Custom Smarty Clone):

      // includes/header.php - OPT initialization
      define('OPT_DIR', './includes/libs/');
      require(OPT_DIR.'opt.class.php');
      $tpl = new optClass;
      $tpl -> gzipCompression = 0;
      $tpl -> httpHeaders(OPT_HTML);
      $tpl -> root = './templates/';
      $tpl -> compile = './templates_c/';

• Custom template engine (79 KB, 5 files)
• Mimics Smarty API (assign(), parse() methods)
• Template syntax: opt:if, opt:for, opt:section (XML-style directives)
• Compiled template caching for performance

2. Database Abstraction Layer (Custom ADOdb):

      // class/db.class.php - Custom Result class
      class Result {
      private $result, $mode;
      public $fields, $EOF;
      function __construct($result, $mode) {
      $this -> fields = mysql_fetch_array($result, $mode);
      $this -> result = $result;
      $this -> mode = $mode;
      }
      function MoveNext() {
      $this -> fields = mysql_fetch_array($this -> result, $this -> mode);
      if ($this -> fields == NULL) {
      $this -> EOF = 1;
      }
      }
      }
      // class/db.class.php - Database class
      class DB {
      private $dbhost, $dbuser, $dbpass, $dbname;
      function Execute($query, $type = 'object', $cache = 'nocache') {
      global $counter;
      $counter++;  // Query counter for debugging
      $this -> sql_connect();
      $result = mysql_query($query) or die('Nie można wykonać zapytania: '.$query);
      mysql_close($this -> handler);  // Close after EVERY query!
      if ($type == 'object') {
      return new Result($result, $this -> mode);
      }
      // ...
      }
      }

• Result object mimics ADOdb (fields, EOF, MoveNext() pattern)
• Query counter ($counter global for performance monitoring)
• Type flexibility: Return object or array
• CRITICAL FLAW: Closes MySQL connection after every query! (Performance disaster)

3. Front Controller Pattern (index.php):

      // index.php - Routing based on ?page= parameter
      if (!isset($_GET['page']) || $_GET['page'] == '') {
      // Show news homepage
      require_once('class/news.class.php');
      $news = new News;
      $arrNews = $news -> newsReturn();
      $tpl -> assign('News', $arrNews);
      }
      elseif (isset($_GET['page']) && $_GET['page'] == 'login') {
      // Handle login
      $logRes = $site -> login($_POST['login'], $_POST['password']);
      $tpl -> assign('Login', $logRes);
      }
      elseif (isset($_GET['page']) && $_GET['page'] == 'register') {
      // Handle registration
      include('class/register.class.php');
      $register = new Register;
      $registerRes = $register -> adduser($_POST['login'], $_POST['password'], $_POST['password2'], $_POST['mail']);
      $tpl -> assign('Register', $registerRes);
      }
      // ... more pages
      $tpl -> parse('index.tpl');

• Single entry point: index.php?page=login, ?page=register, etc.
• Template assignment: Pass result codes to template
• Result codes: -1, -2, 10, etc. (magic numbers = bad practice)

4. Character Creation Flow:

      // user.class.php - addCharacter()
      function addCharacter($name, $gender, $race, $class) {
      global $races, $classes, $db;
      // Validation
      if (empty($race) || empty($class) || empty($gender) || empty($name)) {
      return -2;
      }
      if (!array_key_exists($race, $races) || !array_key_exists($class, $classes)) {
      return -1;
      }
      if ($gender != 'M' && $gender != 'F') {
      return -1;
      }
      // Get race/class bonuses
      $raceData = getRaceByTag($race);
      $classData = getClassByTag($class);
      // Insert character
      $db -> Execute("INSERT INTO <code>game_characters</code>
      (<code>name</code>, <code>race</code>, <code>gender</code>, <code>class</code>, <code>hp</code>, <code>max_hp</code>, ...)
      VALUES (...)");
      return 1;
      }

• Race/Class configs: Separate PHP files (configs/races.php, configs/classes.php)
• Stat calculation: Base stats + race bonuses + class bonuses
• AJAX integration: getrace.php, getclass.php fetch descriptions dynamically

5. Session-Based Authentication:

      // user.class.php - Constructor
      function __construct() {
      global $db, $tpl;
      $this -> fields = $db -> Execute(
      'SELECT * FROM <code>game_users</code> WHERE <code>sid</code>=''.session_id().''',
      'array'
      );
      }
      // user.class.php - checklogin()
      function checklogin() {
      if ($this -> fields['sid'] == session_id()) {
      return TRUE;
      }
      return FALSE;
      }

• Session ID in database: Stored in game_users.sid column
• Auth check: Compare DB sid with current session_id()
• Session hijacking risk: No session regeneration after login

6. Offline Status System:

      // site.class.php - Constructor checks game status
      $result = $db -> Execute("SELECT <code>value</code> FROM game_options WHERE <code>option</code>='offlinestatus'");
      if ($result -> fields['value'] == 'Y') {
      $result = $db -> Execute("SELECT <code>value</code> FROM game_options WHERE <code>option</code>='offlinemessage'");
      $tpl -> assign('message', $result -> fields['value']);
      $tpl -> parse('../templates/message.tpl');
      exit;
      }

• Maintenance mode: Admin can take game offline via options table
• Custom message: Display reason for downtime
• IP ban check: Also blocks banned IPs with custom message

---

Core Game Loop

1. Account Registration:

• Create account (login, password, email)
• Receive activation key via email
• Activate account (moves from game_activate → game_users)
• UNIQUE: Email-based activation prevents spam accounts

2. Character Creation:

• Choose Race (3 options):
• Krasnolud (Dwarf) - 0 HP bonus
• Elf Leśny (Wood Elf) - +10 HP bonus
• Gnom (Gnome) - +15 HP bonus
• Choose Class (3 options):
• Rycerz (Knight) - Disciplined soldier, trained in combat
• Mag (Mage) - Mysterious magic user
• Wojownik (Warrior) - Wild mercenary, skilled but undisciplined
• Choose Gender (Male/Female)
• Set Age (default 16)
• Set Name (unique character name)

3. Character Stats (D&D-inspired):

• HP (Hit Points) - Current/Max health
• Strength (Siła) - Physical power
• Dexterity (Zręczność) - Agility/reflexes
• Endurance (Wytrzymałość) - Constitution/stamina
• Intellect (Intelekt) - Intelligence/knowledge
• Wisdom (Mądrość) - Wisdom/insight
• Base stats: All start at 3 (D&D-style low starting values)

4. World Exploration:

• Locations (game_locations table):
• Hierarchical: location → place (two-level positioning)
• Connected via ways field (serialized connections)
• Resources available per location
• Capacity limits (freespace = max 10,000 players)
• Movement: Character action='walking' state tracking

5. Experience & Leveling:

• EXP tracking (game_characters.exp)
• Level progression (game_characters.lvl starts at 1)
• Level-up mechanics: Not visible in provided code (likely incomplete)

6. Social Features:

• Private Messaging (game_messages table):
• Send messages between players
• Date tracking, title, longtext content
• News System (game_news + game_news_comments):
• Admin posts news
• Players comment on news posts
• Full comment threading
• Profile Viewer (profile.php):
• View other players' characters
• Display stats, race, class, level

Unique Mechanics

1. Polish Grammar Support:

• 3 name forms for locations (name, name2, name3)
• Handles Polish declension (Nominative, Genitive, Locative cases)
• Example: "Warszawa" (nom), "Warszawy" (gen), "Warszawie" (loc)

2. Email Activation System:

• game_activate table holds pending accounts
• Activation key emailed to user
• Must click link/enter code to activate
• Spam prevention: Unusually sophisticated for 2006

3. IP Ban System:

• game_bans table stores banned IPs
• Custom message per ban
• Checked on every page load (site.class.php constructor)

4. Maintenance Mode:

• game_options table: offlinestatus='Y'
• Display custom offlinemessage
• Blocks all players (admins too, no bypass visible)

5. Query Performance Monitoring:

• Global $counter tracks queries per page
• Displayed via OPT debug console
• Helps identify N+1 query problems

---

Schema Quality Assessment

Strengths:

• UTF-8 throughout (utf8 charset for Polish diacritics)
• Email uniqueness (UNIQUE KEY prevents duplicate accounts)
• ENUM for gender (M/F validation at DB level)
• Activation system (game_activate separate table = clean design)
• Prefix convention (game_ prevents table name conflicts)

Critical Flaws:

• MyISAM engine (no foreign keys, no transactions, no referential integrity)
• Serialized data (game_locations.ways, .resources = query hell)
• TEXT for VARCHAR (game_messages.message LONGTEXT when VARCHAR sufficient?)
• No indexes beyond PRIMARY KEY (query performance suffers)
• Magic strings (race='DWF', class='KNT' should be foreign keys)
• No timestamps (created_at, updated_at missing everywhere)

Data Integrity Issues

Foreign Key Violations (if this were InnoDB):

      -- game_characters.owner → game_users.id (NOT enforced)
      -- game_characters.race → game_races.tag (table doesn't exist!)
      -- game_characters.class → game_classes.tag (table doesn't exist!)
      -- game_characters.location → game_locations.id (NOT enforced)
      -- game_news_comments.newsid → game_news.id (NOT enforced)

• Orphaned records possible: Delete user, characters remain
• Invalid references possible: race='ZZZ' accepted by DB
• Cascade deletes impossible: Must manually delete related records

Serialized Data Anti-Pattern:

      -- game_locations.ways field example:
      '1|2|3|5'  -- Connected location IDs (pipe-separated)
      -- game_locations.resources field example:
      'wood:100|stone:50|iron:25'  -- Resource types and quantities

• Cannot query: SELECT locations WHERE wood > 50 (impossible!)
• Cannot join: No foreign keys to resource definitions
• Cannot index: TEXT fields = table scan every time
• Pain to update: Must unserialize, modify, reserialize

Proper Design (game_location_connections table):

      CREATE TABLE game_location_connections (
      id INT AUTO_INCREMENT PRIMARY KEY,
      from_location INT NOT NULL,
      to_location INT NOT NULL,
      FOREIGN KEY (from_location) REFERENCES game_locations(id),
      FOREIGN KEY (to_location) REFERENCES game_locations(id)
      );

---

Strengths

1. Best Architecture in Collection (So Far):

• Custom template engine (OPT = 79 KB of custom code!)
• Database abstraction (Result/DB classes wrap mysql_*)
• MVC separation (classes, templates, configs)
• OOP throughout (User, Site, Character, News, Register classes)
• AJAX endpoints (getrace.php, getclass.php for dynamic data)

2. Error Handling:

• error_reporting(E_ALL) enabled
• Result codes for user feedback (-1, -2, 10, etc.)
• mysql_error() displayed in die() statements (helps debugging)

3. Polish Language Support:

• UTF-8 database charset
• Polish field names in code
• Grammar case support (3 name forms)
• Polish comments throughout

4. Performance Awareness:

• Template compilation (templates_c/ caching)
• Query counter ($counter global)
• gzipCompression option in OPT
• Debug console available

Critical Weaknesses

1. HARDCODED CREDENTIALS (CVSS 9.8 CRITICAL):

      // includes/header.php line 6
      $db = new DB('localhost', 'root', 'krasnal', 'elymntea', MYSQL_ASSOC);

• Database: localhost/elymntea
• Username: root (administrative MySQL account!)
• Password: 'krasnal' (Polish word = "gnome")
• Public exposure: Any attacker can read header.php
• CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8 CRITICAL

2. MD5 PASSWORD HASHING (HIGH - CVSS 7.5):

      -- game_users table
      password varchar(32) NOT NULL  -- MD5 produces 32 hex chars

• MD5 crackable (rainbow tables, GPU cracking)
• No salt: Same password = same hash across users
• Better than plaintext (eRPG v0.5) but still weak
• CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N = 7.5 HIGH

3. SQL INJECTION EVERYWHERE (CVSS 9.8 CRITICAL):

      // user.class.php line 11
      $this -> fields = $db -> Execute(
      'SELECT * FROM <code>'.PREFIX.'users</code> WHERE <code>sid</code>=''.session_id().''',
      'array'
      );
      // No parameterized queries anywhere
      // String concatenation = SQL injection vector

• No prepared statements (mysql_* doesn't support them well)
• session_id() directly in query (if attacker controls session...)
• CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8 CRITICAL

4. SESSION FIXATION (MEDIUM - CVSS 6.5):

      // No session_regenerate_id() after login
      // Session ID stored in database game_users.sid
      // If attacker sets victim's session ID before login...

• Attack: Attacker sets session ID → Victim logs in → Attacker hijacks
• CVSS 3.1: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N = 6.5 MEDIUM

5. PERFORMANCE DISASTER (Connection Thrashing):

      // db.class.php line 90-92
      function Execute($query, $type = 'object', $cache = 'nocache') {
      $this -> sql_connect();  // Connect
      $result = mysql_query($query);
      mysql_close($this -> handler);  // DISCONNECT AFTER EVERY QUERY!
      }

• Opens/closes MySQL connection per query!
• Performance: 100 queries = 100 connection handshakes
• Proper pattern: Connect once, keep persistent connection
• Impact: 10-100x slower than necessary

6. DEPRECATED MYSQL FUNCTIONS:

• Uses mysql_* functions (removed PHP 7.0)
• No MySQLi or PDO usage
• Code non-functional on PHP 7.0+

7. MAGIC NUMBERS:

      // index.php - Register results
      if ($registerRes == 10) { /<em> form </em>/ }
      elseif ($registerRes == -1) { /<em> closed </em>/ }
      elseif ($registerRes == -2) { /<em> empty fields </em>/ }

• Result codes lack constants or enums
• -1, -2, 10 have no semantic meaning
• Hard to maintain (what's 10? must read code)

Code Style

• Readability: Good - Polish comments, logical structure
• Consistency: Excellent - Uniform spacing, brace style
• Documentation: Minimal - PHPDoc headers on DB classes only
• Error Handling: Basic - die() statements only
• DRY Principle: Good - Template engine, DB abstraction, OOP classes

---

Deployment Feasibility: IMPOSSIBLE

Fatal Blockers:

• Hardcoded root credentials - Immediate compromise
• SQL injection everywhere - Database takeover
• mysql_* functions - Incompatible with PHP 7.0+
• MD5 password hashing - Account theft via rainbow tables
• Session fixation - Account hijacking
• Flash dependency - Fire.swf requires obsolete Flash Player
• Connection thrashing - Performance unusable under load

Positive Aspects (vs other games):

• Custom template engine - Shows engineering skill
• Database abstraction - Easier to port to PDO
• MVC architecture - Cleanest in collection
• Email activation - Spam prevention (sophisticated for 2006)
• Maintenance mode - Admin control over game status

Technical Debt Score: 7/10 (Worse than eRPG!)

Why 7/10 (vs 6/10 for eRPG):

• Hardcoded root credentials (vs auto-generated config in eRPG)
• Connection thrashing (unique performance disaster)
• Flash dependency (obsolete technology)
• MD5 hashing (better than plaintext in eRPG)
• Custom template engine (impressive engineering)
• Email activation (sophistication point)

Modernization Effort Required:

• Remove hardcoded credentials + create installer: 40 hours
• Replace mysql_* with PDO: 25 hours
• Fix connection thrashing (persistent connection): 5 hours
• Implement bcrypt password hashing: 10 hours
• Add parameterized queries everywhere: 20 hours
• Remove Flash ad, replace with HTML5: 5 hours
• Session security (regenerate, secure flags): 5 hours
• Denormalize serialized fields: 30 hours
• Testing and QA: 40 hours
• TOTAL: 180 hours (~4.5 weeks for 1 developer)

Estimated Cost: $13,500 - $27,000 USD (vs $6K-12K for eRPG)

Historical Value: HIGH

Preservation Worthiness: 8/10 (Tied with eRPG)

Why High Value:

• Custom template engine - OPT is a unique artifact (79 KB custom code!)
• Technical sophistication - Best architecture in collection
• Erythanea connection - Sister project with Flash ad (historical context)
• Polish RPG history - Documents 2006 Polish game dev scene
• D&D influence - Shows tabletop RPG influence on browser games
• Email activation - Ahead of its time (spam prevention in 2006!)

Archival Recommendations:

• Full preservation (all files including Flash)
• Document OPT template engine (unique system, 79 KB of custom code)
• Research Erythanea project (was it released? domain dead)
• Contact This email address is being protected from spambots. You need JavaScript enabled to view it. (ask about project history)
• Translate UI to English for wider study
• Create security patch (credential removal, PDO conversion)
• Benchmark connection thrashing (demonstrate performance impact)

---

Vulnerability Summary

Security Posture Score: 1/10 (Worst in Collection!)

Why 1/10 (vs 3/10 for eRPG, 0/10 for DS1):

• HARDCODED ROOT CREDENTIALS (worse than any game so far!)
• SQL injection everywhere
• MD5 hashing (+1 point vs plaintext)
• Email activation (+1 point for spam prevention)
• Session fixation
• No CSRF protection

Comparison to Collection:

• eRPG v0.5: 3/10 (empty config.php, installer-generated)
• Dragon Knight: 2/10 (empty default credentials)
• Elymantea: 1/10 (hardcoded root credentials!)
• DragonSwords 1: 0/10 (6 hardcoded credentials)
• DragonSwords 2: -1/10 (DS1 flaws + illegal payments)

Root Credentials Impact:

      $db = new DB('localhost', 'root', 'krasnal', 'elymntea', MYSQL_ASSOC);

• root = Full MySQL administrative access
• Can create/drop databases
• Can create new users
• Can read ALL databases on server
• Can modify mysql.user table (add backdoor accounts)
• Worse than regular user credentials by orders of magnitude

Compliance Assessment

GDPR (2018) Compliance:

• Article 32: Inadequate password security (MD5, no salt)
• Article 32: Hardcoded root credentials = negligent security
• Article 6: Consent via registration
• Article 15: No data export feature
• Article 17: No account deletion feature
• ⚠️ Article 33: Breach notification impossible (no audit logging)

Result: SEVERE NON-COMPLIANCE

Polish Data Protection Laws:

• Poland enforces GDPR strictly
• UODO (Polish DPA) investigates breaches
• MD5 passwords + hardcoded root = administrative fines (€10M or 2% revenue)

---

Innovation Score: 7/10 (HIGHEST in collection!)

Novel Features:

• Custom Template Engine (OPT) (+2.0) - 79 KB of custom template system (unique!)
• Database Abstraction Layer (+1.0) - Custom ADOdb-like Result/DB classes
• Email Activation System (+1.0) - Sophisticated spam prevention (rare in 2006)
• Polish Grammar Support (+0.5) - 3 name forms for declension
• Maintenance Mode (+0.5) - Offline status with custom message
• IP Ban System (+0.5) - Per-IP custom ban messages
• Query Performance Monitoring (+0.5) - $counter debug feature
• AJAX Race/Class Fetchers (+0.5) - Dynamic data without page reload
• Character-Based Gameplay (+0.5) - Account != Character separation

Why 7/10 is Highest:

• OPT template engine = Massive engineering achievement
• Database abstraction = Forward-thinking (2006!)
• Email activation = Ahead of its time
• Only game in collection with custom framework code

Derivative Elements:

• D&D stat system (standard)
• Race/class selection (common)
• News/comments (standard social features)

Gameplay Quality: 3/10 (Incomplete)

Strengths:

• Clean character creation flow
• D&D-style stat system (familiar to RPG players)
• Email activation prevents spam accounts
• Polish grammar support (native experience)

Critical Weakness: GAME IS INCOMPLETE

• No combat system visible (no enemies, no fight mechanics)
• No inventory (no items, equipment, loot)
• No quests (no storyline, objectives)
• Empty game world (game_locations table has 0 rows in schema)
• No economy (no shops, gold, trading)
• Leveling unclear (exp tracked but no level-up code)

Assessment: This appears to be a framework/engine demo, not a playable game. The technical infrastructure is impressive (OPT, DB classes, character system), but actual gameplay is missing.

User Experience: 5/10 (Framework Only)

Positive Aspects:

• Clean UI (OPT template separation)
• AJAX improves responsiveness (race/class fetchers)
• Email activation clear workflow
• Maintenance mode prevents broken-game exposure
• Polish language native support

Negative Aspects:

• Nothing to do! (no gameplay implemented)
• Flash ad intrusive (if used)
• Magic number result codes confusing
• No tutorials or help system
• Error messages in Polish only

Long-Term Engagement: 1/10

Retention Impossible:

• No gameplay = nothing to return to
• Framework/engine demo, not finished game
• Would need 6-12 months development to be playable

---

For Historians/Archivists

Preservation Strategy:

HIGH PRIORITY - Full Preservation + Deep Documentation

Actions:

• Archive Complete Package - All 52 files including Flash
• Document OPT Template Engine - Critical artifact (79 KB custom system)
• Reverse-Engineer OPT - Create documentation (opt:if, opt:for syntax)
• Research Erythanea - Contact This email address is being protected from spambots. You need JavaScript enabled to view it. for project history
• Translate Interface - English documentation for wider study
• Preserve Flash File - Fire.swf for historical Flash Player context
• Create Timeline - 2006 Polish browser RPG scene documentation

Historical Value: 8/10 - Tied highest with eRPG

• OPT template engine = Unique technical artifact
• Framework sophistication vs actual gameplay = Interesting contrast
• Erythanea connection (sister project mystery)
• Polish RPG development history
• Shows 2006 PHP 5.0.2 cutting-edge practices

Research Questions:

• Was Elymantea/Erythanea ever released?
• Is OPT template engine used in other projects?
• Why hardcode root credentials in such sophisticated code?
• What happened to Erythanea Team?

For Developers

⚠️ STUDY WITH EXTREME CAUTION

Why Study This:

• OPT template engine - Learn custom template engine design
• Database abstraction - See ADOdb-style wrapper implementation
• MVC architecture - Study separation of concerns
• Email activation - See spam prevention pattern

What to Study:

• includes/libs/ - Complete OPT template engine (79 KB)
• opt.class.php - Template parser
• opt.instructions.php - Directive implementation (opt:if, opt:for)
• opt.api.php - Public API design
• class/db.class.php - Result/DB abstraction pattern
• index.php - Front controller routing
• configs/ - Race/class configuration pattern

What NOT to Study:

• includes/header.php - Never hardcode credentials!
• db.class.php Execute() - Never close connection per query!
• MD5 hashing - Use bcrypt/Argon2
• Result code magic numbers - Use constants/enums

Modernization Path (IF Forking):

Effort: 180 hours (~4.5 weeks)

Priority 1 - Security (60 hours):

      // 1. Remove hardcoded credentials (5 hours)
      // Create installer that generates:
      define('DB_HOST', $_POST['dbhost']);
      define('DB_USER', $_POST['dbuser']);
      define('DB_PASS', $_POST['dbpass']);
      define('DB_NAME', $_POST['dbname']);
      // 2. Replace MD5 with bcrypt (10 hours)
      $hash = password_hash($_POST['password'], PASSWORD_BCRYPT);
      if (password_verify($_POST['password'], $db_hash)) { /<em> login </em>/ }
      // 3. Convert to PDO prepared statements (25 hours)
      $stmt = $pdo->prepare("SELECT * FROM game_users WHERE sid = :sid");
      $stmt->execute(['sid' => session_id()]);
      // 4. Fix session security (5 hours)
      session_regenerate_id(true);  // After login
      // 5. Add CSRF tokens (15 hours)
      $_SESSION['csrf_token'] = bin2hex(random_bytes(32));

Priority 2 - Performance (40 hours):

      // 1. Fix connection thrashing (5 hours)
      class DB {
      private static $connection;  // Persistent connection
      function Execute($query) {
      if (!self::$connection) {
      self::$connection = new PDO(...);  // Connect once
      }
      return self::$connection->prepare($query);
      }
      }
      // 2. Denormalize game_locations (30 hours)
      CREATE TABLE game_location_connections (...);  // Replace serialized ways
      CREATE TABLE game_location_resources (...);     // Replace serialized resources
      // 3. Add indexes (5 hours)
      CREATE INDEX idx_characters_owner ON game_characters(owner);
      CREATE INDEX idx_characters_location ON game_characters(location);

Priority 3 - Gameplay (100+ hours):

• Implement combat system (40 hours)
• Create inventory/equipment (30 hours)
• Build game world (20 hours)
• Add quests (40 hours)
• Economy/shops (20 hours)

Total Cost: $13.5K-27K USD (security only) or $30K-60K (full game)

For Players

NOT PLAYABLE (Framework Only)

Current State:

• Character creation works
• News/comments work
• Private messaging works
• NO COMBAT - Cannot fight
• NO WORLD - Nowhere to explore
• NO ITEMS - Nothing to collect
• NO QUESTS - Nothing to do

Verdict: This is a game engine demo, not a finished game. Like buying a car with no engine - looks nice, goes nowhere.

For Collectors

Archival Value: ⭐⭐⭐⭐⭐ (5/5) - HIGHEST in Collection

Why Maximum Value:

• OPT template engine = Unique 79 KB custom system (nowhere else!)
• Best architecture in entire collection
• Erythanea Flash ad = Cross-project mystery
• PHP 5.0.2 cutting-edge era (2006)
• Polish language + grammar support = Cultural artifact
• Email activation = Ahead of its time

Rareness: ⭐⭐⭐⭐☆ (4/5)

• Obscure project, minimal distribution
• Erythanea connection (sister project)
• This email address is being protected from spambots. You need JavaScript enabled to view it. may be only contact
• No public releases found
• OPT template engine possibly unique to this project

Final Verdict

Summary: Elymantea is the most technically sophisticated game analyzed so far, featuring a custom 79 KB template engine (OPT), database abstraction layer, MVC architecture, email activation system, and Polish grammar support. However, this sophistication is undermined by catastrophic security (hardcoded root credentials, SQL injection everywhere) and incomplete gameplay (no combat, world, items, or quests). This appears to be a framework/engine demo for the Erythanea project, showcasing technical capabilities rather than a finished game.

Key Paradox: How did developers sophisticated enough to build OPT template engine hardcode root credentials?

Historical Significance: Elymantea documents the technical peak of Polish browser RPG development in 2006. The OPT template engine represents engineering ambition rarely seen in the genre - most developers used Smarty or raw PHP, but Erythanea Team built their own 79 KB template system from scratch. This ambition makes the security failures even more tragic.

OPT Template Engine: The crown jewel of this archive. 79 KB of custom template code with:

• XML-style directives (opt:if, opt:for, opt:section)
• Template compilation to templates_c/ (performance optimization)
• Debug console with syntax highlighting
• Gzip compression support
• Custom instruction set

This alone justifies preservation - OPT may be unique in web RPG history.

Best Use Cases in 2025:

• Study OPT template engine - Reverse-engineer custom template system design
• Architecture case study - Learn MVC separation in PHP 5.0.2 era
• Database abstraction - See ADOdb-like wrapper pattern
• Historical research - Document Polish RPG scene + Erythanea project
• ⚠️ Security education - "How not to deploy" (root credentials)
• NOT for play - No gameplay implemented
• NOT for public deployment - Critical security flaws

Comparison to Collection:

• eRPG v0.5: 3/10 security, simple engine, GPL licensed
• Dragon Knight: 2/10 security, educational tribute
• Elymantea: 1/10 security, custom framework, incomplete
• Winner: Elymantea for technical innovation, eRPG for deployability

Preservation Priority: MAXIMUM - First game in collection with custom framework code

Epitaph: "They built a custom template engine but hardcoded root credentials - the greatest paradox in this entire collection."

---

Analysis Completed: December 2025

Confidence Level: 94% (complete file review, OPT engine analysis, sister project identified)

Recommended Action: PRESERVE AS CRITICAL ARTIFACT - OPT template engine unique in collection

Security Warning: ⚠️ HARDCODED ROOT CREDENTIALS - Never deploy publicly

Cultural Note: 🇵🇱 Polish RPG history + Erythanea cross-project mystery

Mystery: 🔍 What happened to Erythanea? Was it ever released? Contact This email address is being protected from spambots. You need JavaScript enabled to view it.

Next Game in Collection: eternal_duel (23/79 complete - 29.1%)