Kallen

Directory: kallen/Kallen/

Game Engine: Phaos - Fantasy Browser RPG Engine

Version: 0.89 (per HISTORY.txt)

Original Developer: Zeke Walker (zekewalker.com)

Company: 3E Productions (3eproductions.com)

Official Site: worldofphaos.com

Development Date: June 23, 2006 (SQL dump), March 30, 2005 (

Environment: PHP 5.0.4, MySQL 4.1.12, phpMyAdmin 2.6.2-pl1

Key Discovery: This is the original Phaos engine - one of the most influential open-source browser RPG frameworks from the mid-2000s. Spawned numerous derivatives and inspired many later projects.

---

Total Files: 1,199 files

Code: 135 PHP files (0.90 MB)

Graphics: 1,047 images (3.93 MB total)

• 469 GIFs (0.83 MB)
• 310 JPGs (0.71 MB)
• 268 PNGs (2.39 MB)

Audio: 4 MIDI files (0.17 MB)

Database: 2 SQL files (1.79 MB)

• phaos_structure.sql - 42 tables, 828 lines
• phaos_data.sql - pre-populated game content

Documentation: 3 text files (INSTALL.txt, HISTORY.txt, LICENSE.txt)

Flash: 1 SWF file (0.01 MB)

Binary: 1 EXE, 1 DLL in images/ (1.32 MB - likely map editor tools)

Directory Structure:

      Kallen/
      ├── Core Game Files (80+ PHP scripts)
      ├── admin/ (60 admin tools - comprehensive CMS)
      ├── images/ (1,047 files - characters, items, monsters, UI)
      ├── mapmaker/ (map editor tool)
      ├── flash/ (Flash components)
      ├── music/ (4 MIDI background tracks)
      ├── lang/ (internationalization)
      ├── styles/ (CSS themes)
      └── import/ (SQL installation)

---

Architecture: Object-Oriented with Procedural Helpers

Core Components:

1. Character System (class_character.php - 1,472 lines!)

• OOP character class with 70+ properties
• Combat calculations: attack_min(), attack_max(), defense_min(), defense_max()
• Skill system: fight, defense, weaponless, lockpick, traps, search, mana
• Reputation system: helpfulness, generosity, combat reputation
• Stamina/HP regeneration with time-based mechanics

2. Database Layer (config.php lines 25-26):

$connection = mysql_connect("$mysql_server","$mysql_user","$mysql_password");
$db = mysql_select_db("$mysql_database");

• Deprecated mysql_* functions (PHP 7.0 incompatible)
• Global $connection variable used throughout
• Manual query building (no ORM)

3. Security Model (config.php lines 49-55):

// FIXME: security hole
foreach($_GET as $key=>$value) {
    $$key = get_magic_quotes_gpc() ? $value : addslashes($value);
}
foreach($_POST as $key=>$value) {
    $$key = get_magic_quotes_gpc() ? $value : addslashes($value);
}

• Cookie-based sessions: PHP_PHAOS_USER, PHP_PHAOS_MD5PW
• MD5 password hashing (weak but better than plaintext)
• Backward compatibility with old plaintext passwords
• Admin authentication separate (PHP_ADMIN_USER, PHP_ADMIN_MD5PW)

5. Internationalization (config.php lines 10-14):

• $lang variable from cookie (defaults to "en")
• Separate language files in lang/ directory
• include_lang.php for translations

6. Combat Engine (combat.php - 1,016 lines):

• Complex damage calculation: root_damage(), roll_damage()
• Exponential damage curves to keep fights exciting
• Arena system with dynamic opponent spawning
• Quest-based NPC generation
• Session-based combat state tracking

7. NPC AI (functions.php - movenpc()):

• Autonomous NPC movement every 1,000 seconds
• HP/stamina regeneration for NPCs
• Random relocation algorithm
• Shop inventory replenishment system

8. Admin Panel (60 files in admin/):

• Full CRUD for: weapons, armor, boots, gloves, helms, shields, spells, NPCs, opponents, quests
• Map editor integration
• Database optimization tools
• User/character management
• Live chat system (admin_chat.php)
• Broadcast messaging to all players

9. Map System:

• mapmaker/ - dedicated map editor
• map_to_image.php - dynamic map rendering
• Explorable towns system (v0.89 feature)
• Unpassable terrain (pass field in locations)
• World coordinates (x, y) on grid

---

RPG System: Classic fantasy D&D-inspired mechanics with browser-based implementation.

Core Stats (4 attributes):

• Strength - Melee damage
• Dexterity - Hit chance, dodge
• Wisdom - Finding items, magic
• Constitution - Hit points

Skills (7 active):

Fight, Defense, Weaponless Combat, Lockpicking, Traps, Search, Mana

Equipment Slots (9):

Weapon, Armor, Helmet, Boots, Gloves, Shield, Neck, Ring, (9th slot unclear)

Character Progression:

• Level-based XP system
• Stat points allocation on level-up
• Skill training (separate from levels)
• Reputation system (3 categories: helpful, generous, combat)

Locations (42+ table entries):

• Cities/towns (now explorable as of v0.89)
• Dungeons (removed in v0.88, being redesigned)
• Special areas (temples, arenas)
• Travel system with stamina costs
• Ship-based ocean travel

Combat Systems:

• PvE Combat - Fight NPCs/monsters
• Arena Combat - Controlled PvP environment
• PvP Combat (pvpcombat.php) - Direct player battles
• Quest Combat - Special encounters for quests

Economy:

• Gold currency
• Bank system (bank.php, bankgold field)
• Player market (market.php)
• NPC shops with dynamic inventory
• Item trading between players
• Blacksmith/Darksmith for crafting

Social Features:

• Clans/Guilds (phaos_clan_admin, phaos_clan_in tables)
• Clan leaders, ranks (10 rank tiers), banners, signatures
• Clan treasury, slogan, location
• Messaging system (message.php)
• "Who's Online" (who.php)
• Player info profiles (player_info.php)

Quest System:

• phaos_quests table
• Quest hunters tracking (phaos_questhunters)
• Monster kill quests
• Item collection quests
• Battle count requirements

Special Locations (v0.89 newly explorable):

• Pah-Loran, Sconsh, Isia, Nihil, Doonmoor (mentioned in HISTORY.txt)

---

Total Tables: 42

Prefix: phaos_

Engine: MyISAM (TYPE=MyISAM in SQL)

Charset: latin1 (default, not UTF-8)

Key Tables:

Characters & Users:

• phaos_characters (50+ fields) - player characters, NPCs
• phaos_users - accounts
• phaos_admin - admin accounts

Equipment & Items (9 tables):

• phaos_weapons, phaos_armor, phaos_boots, phaos_gloves, phaos_helm, phaos_shields
• phaos_char_inventory - player inventory
• phaos_ground - dropped items on ground

Combat & NPCs:

• phaos_npc - NPC definitions
• phaos_opponents - enemy stats
• phaos_arena_fighting - arena battles

World & Travel:

• phaos_locations (id, name, image_path, special, buildings, pass, explore)
• phaos_buildings - shops in locations
• phaos_ship - ship travel

Economy:

• phaos_shop_inventory - shop stock with quantity/max
• Market tables for player trading

Social:

• phaos_clan_admin - clan management (22 fields!)
• phaos_clan_in - clan membership
• phaos_mail - messaging

Quests:

• phaos_quests - quest definitions
• phaos_questhunters - player quest progress

Magic & Abilities:

• phaos_spells
• phaos_abilities

Schema Quality: 6/10

• Comprehensive entity modeling
• Clear naming conventions
• MyISAM (no foreign keys, no transactions)
• Wide character table (50+ columns)
• No normalization of equipment (9 separate item tables)

---

Strengths:

• Class-based character system (1,472 lines - extensive!)
• Function library (functions.php, shop_functions.php)
• Comprehensive admin tools (60 files)
• Documentation files present (INSTALL, HISTORY, LICENSE)
• Developer acknowledged security issues ("FIXME: security hole")
• Internationalization framework

Weaknesses:

• Variable variables security nightmare ($$key from user input)
• Global variables everywhere ($connection, $auth, $character)
• No autoloading (manual includes)
• Deprecated mysql_* functions
• Mixed coding styles (some OOP, mostly procedural)
• Minimal inline comments
• Magic numbers (e.g., time()+1000, hardcoded arena location ranges)
• Hardcoded credentials in mapmaker (index.php line 158: "root","cM27kl")

Maintainability Issues:

• 1,016-line combat.php (too large)
• 1,472-line class_character.php (monolithic)
• No testing framework
• No dependency management

Modernization Cost: 320-400 hours ($24K-$30K at $75/hr)

---

PHP Version: 5.0.4 (June 2006)

EOL: August 2007 (18+ years obsolete!)

MySQL: 4.1.12 (ancient)

Critical Issues:

• mysql_* removed in PHP 7.0 - game won't run on modern servers
• No prepared statements - SQL injection risk
• Variable variables - register_globals-era security hole
• MD5 passwords - weak hashing
• MyISAM - no ACID compliance
• No modern framework - hand-rolled everything

Missing Modern Features: Namespaces, traits, type hints, return types, null coalescing, PDO, Composer, PSR standards, ORM, templating engine, middleware, dependency injection.

---

Critical Flaws:

1. Variable Variables Injection (config.php lines 49-55):

foreach($_GET as $key=>$value) {
    $$key = get_magic_quotes_gpc() ? $value : addslashes($value);
}

      ?PHP_PHAOS_USER=admin&PHP_PHAOS_MD5PW=fakehash&connection=malicious
      

• Better than nothing, but addslashes() ≠ mysql_real_escape_string()
• No prepared statements
• Charset encoding attacks possible

3. Weak Password Hashing:

• MD5 (weak, no salt)
• Backward compatibility with plaintext passwords (!!)

4. Hardcoded Credentials:

• mapmaker/index.php line 158: mysql_connect("localhost","root","cM27kl")
• Root password exposed in source

5. Limited XSS Protection:

• Only 5 uses of htmlspecialchars() found
• Most output unescaped

6. Information Disclosure:

• die(mysql_error()) throughout code
• Debug mode via cookie: $_COOKIE['_debug']

7. No CSRF Protection: Forms lack tokens

8. Session Security:

• Cookie-based without HTTPOnly/Secure flags
• No session regeneration on login

Positive Notes:

• Developer aware of security issues ("FIXME: security hole" comments)
• addslashes() shows some security awareness (for 2006)
• Separate admin authentication

Security Grade: F+ (2/10) - Acknowledged flaws but not fixed, critical variable injection vulnerability.

---

Innovative Aspects (for 2006):

1. Comprehensive OOP Character Class ⭐⭐⭐

• 1,472 lines of character logic
• 70+ properties, 50+ methods
• Advanced combat math (exponential damage curves)
• Innovation: Most 2006 browser RPGs used procedural code - Phaos used classes

2. Dynamic NPC AI ⭐⭐

• Autonomous NPC movement system
• Time-based regeneration
• Shop inventory auto-replenishment
• Unique: NPCs "live" in the world, not just spawned on demand

3. Explorable Towns (v0.89 feature) ⭐⭐

• Towns as traversable maps with building locations
• Each building at specific coordinates within town
• Innovation: Most 2006 RPGs had towns as menu screens, not explorable areas

4. Map Editor Integration ⭐⭐

• Dedicated mapmaker/ tool with visual interface
• map_to_image.php dynamic rendering
• Admin can design world without SQL edits
• Innovation: Rare for 2006 open-source projects

5. Comprehensive Admin Panel ⭐

• 60 admin tools for complete game management
• CRUD for all game entities
• Live player editing, broadcast messaging
• Standard: Good execution but not unique

6. Internationalization Framework ⭐

• Language files in lang/ directory
• Cookie-based locale switching
• Forward-thinking: I18n uncommon in 2006 browser RPGs

7. Modular Shop System ⭐

• shop_functions.php, shop_include.php
• Reusable shop code for all merchant types
• Dynamic inventory with quantity/max tracking

Historical Significance:

Phaos Legacy (2005-2010s):

• One of the first major GPL browser RPG engines
• Inspired dozens of forks and derivatives
• Active community on phpBB forums
• Influenced later engines (ezRPG, Glory Lands likely studied Phaos)

Comparison to Contemporaries:

• vs Legend of the Green Dragon (2002): Phaos more complex equipment/skills
• vs PHPAuction RPG (2003): Phaos has better OOP architecture
• vs early MCCodes (2004): Phaos more feature-complete

Technical Merit for 2006: 8/10

• Advanced for its time (OOP character class, NPC AI)
• Comprehensive feature set (quests, clans, admin tools)
• Acknowledged security issues but limited by PHP 5.0 capabilities

Innovation Score Today: 7/10 - Historically significant, advanced architecture for 2006, but security flaws prevent higher rating.

---

Use Case Assessment:

NOT Recommended:

• Production Use - Critical security vulnerabilities, obsolete PHP/MySQL
• Learning Modern Practices - Teaches outdated patterns (variable variables, mysql_*, global state)
• Commercial Deployment - World of Phaos trademark restriction (Zeke Walker retains rights)

Recommended For:

1. Historical Study ⭐⭐⭐⭐⭐

• Perfect example of mid-2000s browser RPG architecture
• Shows evolution from procedural to OOP PHP
• Documents pre-framework era techniques
• Use Case: Research on web game history, compare to modern engines

2. Learning Game Design ⭐⭐⭐⭐

• Excellent combat math (root_damage(), exponential curves)
• Comprehensive skill/stat system
• Quest framework design
• Use Case: Study game mechanics, adapt formulas to modern projects

3. GPL Framework Study ⭐⭐⭐⭐

• See how GPL
• s work with trademark restrictions
• Zeke Walker allowed code reuse but protected "World of Phaos" brand
• Use Case: Open-source licensing case study

4. Security Training ⭐⭐⭐

• Variable variables vulnerability (register_globals-era flaw)
• Evolution of authentication patterns
• Use Case: "Before & After" security workshops

5. Modernization Project ⭐⭐

• IF you want a learning project: port Phaos to modern PHP
• Good architecture bones (character class, admin tools)
• Challenge: 400-hour rewrite needed

Preservation Recommendation:

Archive Status: TIER 1 - CROWN JEWEL ⭐⭐⭐⭐⭐

Rationale:

• Historical Significance: One of most influential GPL browser RPGs (2005-2010s)
• Technical Merit: Advanced OOP for 2006, comprehensive features
• Documentation: INSTALL, HISTORY, LICENSE all present
• Completeness: Admin tools, map editor, full game ecosystem
• Legal: GPL
• d (code reusable with attribution)
• Community: Active forums, spawned many derivatives

Preservation Actions:

Document Thoroughly (this analysis)

Archive Complete Source (all 1,199 files)

Screenshot Key Features (admin panel, map editor, combat system)

Export Database Schema (42 tables documented)

Record Version History (HISTORY.txt shows v0.88 → v0.89 progression)

Credit Creator: Zeke Walker / 3E Productions / worldofphaos.com

Note

Research Impact: Search for Phaos derivatives, document influence

Do NOT:

• Deploy publicly (security vulnerabilities)
• Use "World of Phaos" name commercially (trademark restriction)
• Claim as original work (GPL requires attribution)

Comparison to Other Analyzed Games:

Verdict: Phaos ranks as 3rd most valuable engine (after ezRPG and Glory Lands), but edges ahead in historical significance due to earlier release date (2005 vs 2009).

---

Key Strengths: Comprehensive feature set, OOP character system, admin tools, GPL

Key Weaknesses: Variable variables security flaw, obsolete PHP/MySQL, monolithic files, weak authentication

Best Use: Historical study, game design learning, modernization learning project

Legacy: Spawned numerous derivatives, influenced 2000s browser RPG development