Mob Star

Title: Mob Star (internally called "Mafia Beta")

Genre: Browser-Based Mafia RPG

Release Date: April 15, 2005

Developer: J. Klompen

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Website: http://www.maffia.net.tc (defunct)

License: Unknown / Proprietary (no license file)

Project Status: Functional but incomplete beta

Archive Structure:

mob_star/
└── Mob star/
├── admin*.php        # Admin panel (6 files)
├── _*.php           # Backend logic files (24 files with underscore prefix)
├── crime.php        # Crime system
├── oc.php           # Organized crimes (466 lines)
├── gta.php          # Grand Theft Auto system
├── crew.php         # Gang/crew management
├── blackjack.php    # Casino gambling
├── hitlist.php      # Player assassination contracts
├── jail.php         # Jail system
├── bank.php         # Banking system
├── forum.php        # Forum system
├── functions.php    # Helper functions (387 lines)
├── Class.db.php     # Database class
├── images/          # 115 GIF images, 28 JPG, 51 PNM
├── src/             # CSS/resources
└── database.txt     # MySQL schema (623 lines, 30+ tables)
<code></code>`

Historical Context:

Mob Star was developed in April 2005, the same month as the developer's copyright header indicates. This makes it contemporary with MetalMech v0.2.6 but predates MCCodes v2.0 by three years. The database.txt file contains a curious header: "Credits to GangsterWar V1! Fixed By GaLiL", suggesting this is either a fork or derivative of another mafia game called GangsterWar. However, all PHP files credit J. Klompen as sole author, indicating he rewrote the codebase while using GangsterWar's database schema as foundation.

Provenance Analysis:

• GangsterWar V1 = likely the first-generation mafia game (circa 2004?)
• "Fixed By GaLiL" = unknown developer who corrected GangsterWar's database
• J. Klompen = rewrote PHP codebase from scratch using inherited database schema
• Mob Star = the resulting game, branded as "Mafia Beta" in UI

This is the third derivative game encountered in this collection:

• kravian = unauthorized Travian clone
• mafia_script = commercial Ravan Scripts reskin
• Mob Star = GangsterWar fork with complete rewrite

---

Core Technologies

• Backend: PHP (version unknown, likely PHP 4.x based on syntax)
• Database: MySQL (MyISAM tables)
• Frontend: HTML with inline JavaScript, CSS
• Session Management: Cookie-based authentication
• Data Exchange: Form POST/GET (no AJAX)

Architecture

FLOW: Browser → index.php → _check_user.php → [feature].php → _[feature].php → MySQL
↓
_connect.php
(EXPOSED CREDENTIALS!)
<code></code>`

Critical Design Decision:

// _connect.php (ENTIRE FILE):
$Host = "localhost";
$User = "crimestrik_mob";      // ← EXPOSED!
$Pass = "jeff";                // ← EXPOSED!
$DBName = "crimestrik_mob";
$Link = mysql_connect($Host, $User, $Pass);
mysql_select_db($DBName);
<code></code>`

File Naming Convention:

• [feature].php = Frontend display (HTML output)
• _[feature].php = Backend logic (database operations)
• admin[feature].php = Admin panel pages

Example: `crime.php` displays UI, `_crime.php` handles database logic.

Code Statistics:

• Total Files: 311 files, 1.55 MB
• PHP Files: 101 files, 11,536 lines
• Largest PHP Files:
• playermessa.php (469 lines) - private messaging system
• oc.php (466 lines) - organized crime logic
• _oc.php (426 lines) - organized crime backend
• functions.php (387 lines) - helper functions
• _blackjack.php (365 lines) - casino blackjack
• Database Schema: database.txt (623 lines, 30+ tables)
• Images: 115 GIF, 28 JPG, 51 PNM files

---

Core Systems

1. Crime System (crime.php, _crime.php)

// Four crime types with percentage chances:

• Rob a bank (variable %)
• Threaten a P.I.M.P. (variable %)
• Rob a store (variable %)
• Pick-pocket someone (variable %)

2. Organized Crimes (oc.php - 466 lines, _oc.php - 426 lines)

• Team-based crimes requiring multiple players:
• Leader (initiates OC)
• Weapon Expert (provides weapons)
• Explosive Expert (provides explosives)
• Driver (provides escape vehicle)
• Weapon tiers:
• HighStandard .22
• MK III
• Thompson
• Explosive tiers:
• Dynamite
• TNT
• C4
• Cooldown: Time-based restriction between OCs

3. Grand Theft Auto System (gta.php, _gta.php - 314 lines)

// Car theft mechanics:
$car1 = "VW Corrado VR6";
$car2 = "Bently";        // [sic] - Bentley misspelled
$car3 = "Honda S2000";
$car4 = "Porsche GT2";
$car5 = "Mercedes SL600";
$car6 = "Hummer";
$car7 = "Fiat Multipla";
$car8 = "Retard car";     // ← Offensive name
<code></code>`

• Steal from: garage, street, parking lot
• Damage system: Cars accumulate damage (affects value)
• Shipping system: Transport cars between countries (10-minute delay)
• Auto-return: Cars left in original location return to owner after 10 minutes

4. Hitlist System (hitlist.php)

• Players can place bounties on other players
• Successful kills earn bounty reward
• Public hit contracts visible to all

5. Crew/Gang System (crew.php, crewprofile.php, crew_berichten.php, crew_forum.php)

• Players create/join crews (gangs)
• Crew-specific messaging system
• Crew forum for internal communication
• Application/approval workflow

6. Banking System (bank.php, _bank.php)

• Deposit/withdraw money
• Interest calculations
• Transaction history

7. Casino/Gambling (blackjack.php, _blackjack.php - 365 lines, back-up-black.php - 337 lines)

• Blackjack implementation (365 lines of game logic)
• Card dealing system
• Betting mechanics
• Multiple simultaneous games

8. Jail System (jail.php, jailbox.php)

• Players can be jailed for failed crimes
• Time-based jail sentences
• Jail messaging system (jailbox)

9. Travel System (travel.php, _travel.php)

• 10 countries:
• Netherlands, Italy, United States, Japan, Poland
• Russia, Columbia [sic], China, France, Australia
• Country-specific markets for drugs/booze

10. Commodity Trading (drugs.php, booze.php, bullets.php, buy.php)

// Booze types (from database.txt):
INSERT INTO <code>booze</code> VALUES ('5724', '467', '7953', '157', 'Netherlands');
// Beer, Rum, Whiskey, Vodka (quantities per country)
<code></code>`

11. Establishment System (establishment.php, est.php)

• Players can buy properties/land
• 55 land plots available (from database.txt)
• Crew headquarters establishment

12. Rank System (functions.php: RankMessage())

// Progression ranks:
0-99:     Noob
100-249:  Slave
250-599:  Hooker
600-3999: Pizza boy
4000-12999: Gangster
13000-24999: Hitman
25000-34999: Gun User
35000-45999: Local Boss  // Bug: 459999 in code
46000-64999: Land Lord
65000-79999: Don
80000-99999: Earths Ruler
100000-199999: God's Right Hand
<code></code>`
<em>Note: Code contains bug at Local Boss threshold (459999 instead of 45999)</em>

13. Communication Systems

• Inbox (inbox.php) - private messages
• Forum (forum.php, create_topic.php) - public discussions
• Player messages (playermessa.php - 469 lines) - advanced messaging
• Crew messages (crew_berichten.php) - gang communications

14. Admin Panel

• admin.php - main dashboard
• adminusers.php - user management
• adminban.php - ban system
• adminserver.php - server settings
• adminstats.php - statistics
• admin-changelog.php - version history

---

Security Score: 1/10 - CATASTROPHIC SECURITY DISASTER

CRITICAL VULNERABILITIES:

1. EXPOSED DATABASE CREDENTIALS IN SOURCE CODE

// _connect.php (PUBLICLY ACCESSIBLE):
$Host = "localhost";
$User = "crimestrik_mob";
$Pass = "jeff";           // ← PLAINTEXT PASSWORD!
$DBName = "crimestrik_mob";
<code></code>`

Impact: Anyone with file access or directory listing enabled can obtain full database access.

2. SQL INJECTION - EPIDEMIC SCALE

// _check_user.php:18 (NO ESCAPING):
$lijstGebruikers = "SELECT * FROM users WHERE username='$name' AND password='$password'";
$resultLijstGebruikers = mysql_query($lijstGebruikers);
// apply_crew.php:19-20 (DIRECT $_GET USAGE):
$name = $_GET['name'];
$id10 = $_GET['id10'];
// Used directly in queries...
// est.php:10 (ZERO VALIDATION):
$id = $_GET['id'];
// Immediately used in database operations
// oc.php:45 (COOKIE-BASED AUTH IN QUERY):
$lijstGebruikers = "SELECT * FROM oc WHERE leader='$cookieusername'";
// $cookieusername from $_COOKIE - user-controllable!
<code></code>`

Grep search found 20+ instances of unescaped `$_GET/$_POST/$_REQUEST` directly in queries.

Only 6 instances of `htmlspecialchars()` and 1 instance of `addslashes()` found across entire codebase:

// counter.inc.php:53 - ONLY sanitization found:
$pagename = addslashes($pagename);
<code></code>`

3. AUTHENTICATION BYPASS

// _check_user.php cookie authentication:
$name = $_POST['name'];
$password = $_POST['password'];
setcookie("cookieusername", $name, time()+86400);
setcookie("cookiepassword", $password, time()+86400);
// Authentication check:
$lijstGebruikers = "SELECT * FROM users WHERE username='$name' AND password='$password'";
<code></code>`

• Passwords stored in PLAINTEXT cookies
• Cookies sent client-side (editable by user)
• No password hashing
• No session tokens
• SQL query with unescaped variables = trivial SQL injection

4. XSS (Cross-Site Scripting) EVERYWHERE

// crime.php:23 (DIRECT OUTPUT):
echo "$melding";  // User-controllable variable
// oc.php outputs directly from database without escaping
// forum.php outputs forum posts without sanitization
// inbox.php displays messages without filtering
<code></code>`

5. ERROR SUPPRESSION HIDING FAILURES

// counter.inc.php:21-60 (12+ instances):
@mysql_query("DELETE FROM stats WHERE type='4' AND datum !='$datum'");
$sql = @mysql_query("SELECT count(1) FROM stats WHERE type='4' AND ip='$ip'");
$bezoek = @mysql_result($sql, 0);
@mysql_query("UPDATE stats SET value1=value1+1, value2=value2+1 WHERE type='1'");
// @ suppresses all errors - security issues hidden
<code></code>`

6. DEPRECATED mysql_* FUNCTIONS

• All database calls use deprecated `mysql_*` functions (removed in PHP 7.0)
• No mysqli or PDO
• No prepared statements = SQL injection guaranteed

7. DIRECTORY LISTING / FILE ACCESS

• No .htaccess file found
• `_connect.php` accessible if directory listing enabled
• Database credentials exposed to web

8. IP LOGGING WITHOUT PRIVACY DISCLOSURE

// counter.inc.php stores IP addresses
// ip_block table stores IPs
// No privacy policy or GDPR compliance
<code></code>`

9. COOKIE SECURITY ABSENT

setcookie("cookieusername", $name, time()+86400);
// Missing: HttpOnly, Secure, SameSite flags
// Vulnerable to XSS cookie theft
<code></code>`

10. RANK SYSTEM BUG = PRIVILEGE ESCALATION

// functions.php:63 (BUG):
if ($old_rank < 459999 AND $new_rank >= 459999) {
$opdracht = "insert INTO inbox values('0','$receiver','$receiver','$datem','You have been promoted to Local Boss Keep on going','0')";
// Should be 45999, not 459999!
// Creates unreachable rank or privilege escalation opportunity
<code></code>`

Comparison to Previous Games

Mob Star ties with mafia_warz as WORST SECURITY in collection.

---

Code Quality Score: 3/10 - Functional Chaos

STRENGTHS:

1. Consistent File Naming Convention

[feature].php  = Frontend (UI)
_[feature].php = Backend (logic)
admin[feature].php = Admin panel
<code></code>`
This separation is better than inline mixing (unlike MCCodes).

2. Modular Features

Each game system is isolated in separate files (crime, oc, gta, crew, etc.). Better than monolithic design.

3. Helper Functions Library

// functions.php:15-23
function UpdateTable($table, $set, $set_value, $where, $where_value) {
$result = mysql_query("UPDATE <code>$table</code> SET <code>$set</code>='$set_value' WHERE <code>$where</code>='$where_value'");
if ($result) {
return 1;
} else {
return 0;
}
}
<code></code>`
Attempts code reuse (though function is itself vulnerable to SQL injection).

4. Statistics Tracking System

// counter.inc.php implements page view tracking
// Unique visitors vs total hits
// Per-page statistics
<code></code>`

WEAKNESSES:

1. NO INPUT VALIDATION ANYWHERE

// Typical pattern across entire codebase:
$name = $_GET['name'];
// Directly used in queries/output with ZERO validation
<code></code>`

2. Dutch Language Mixing

// database.txt:
-- Tabel structuur voor tabel <code>[land]</code>
-- Gegevens worden uitgevoerd voor tabel <code>auctions</code>
// Variable names:
$lijstGebruikers = "SELECT...";  // "list users" in Dutch
$resultLijstGebruikers = mysql_query($lijstGebruikers);
$opdracht = "insert INTO...";   // "command" in Dutch
$resultaat = mysql_query($opdracht);  // "result" in Dutch
$melding = "Login wrong";        // "message" in Dutch
$bloep = "yes";                  // "bleep/beep" in Dutch
<code></code>`
Inconsistent language mixing makes code hard to maintain for non-Dutch speakers.

3. Magic Numbers Everywhere

// oc.php:62-93 (weapon types):
if ($we == "") { $we = " Nothing"; }
if ($we == 1) { $we = " HighStandard .22"; }
if ($we == 2) { $we = " MK III"; }
if ($we == 3) { $we = " Thompson"; }
// No constants, just raw numbers
<code></code>`

4. Inconsistent Coding Style

// Opening PHP tags vary:
<? // Short tags (deprecated)
<?PHP // Full tag, uppercase
<?php // Standard
<code></code>`

5. HTML Injection in PHP

// crime.php:19-36 (inline HTML in PHP):
echo "<div class="window">";
echo "<div class="mainTitle">Crimes</div>";
echo "<div class="mainText">";
// No template engine, all inline echo statements
<code></code>`

6. Error Handling = Exit or Suppress

// Only two error strategies:

• @ suppression (hides errors)
• No handling at all (errors displayed to user)

7. Offensive Code Comments

// gta.php:77
$car8 = "Retard car";  // Offensive disability slur
// oc.php:46
$bezet = "bloep";  // Nonsense variable value
<code></code>`

8. Database Schema Issues

// database.txt uses deprecated MyISAM:
CREATE TABLE <code>auctions</code> (...) TYPE=MyISAM;
// Should use InnoDB for foreign key support
// Excessive varchar(255):
<code>username</code> varchar(255)  // Username doesn't need 255 chars
<code>bericht</code> varchar(255)   // "message" truncated at 255 chars
<code></code>`

9. No OOP / Classes

Only one class found: `Class.db.php` (database wrapper), but never used. All code is procedural spaghetti.

10. Code Duplication

// Organized crime logic duplicated across:

• oc.php (466 lines)
• _oc.php (426 lines)

// Similar patterns repeated for each role (leader, weapon expert, etc.)

---

Database Schema

database.txt Analysis: 623 lines, 30+ tables

Core Tables:

1. users (Primary player table)

CREATE TABLE <code>users</code> (
<code>id</code> int(255) NOT NULL auto_increment,
<code>username</code> varchar(255) default NULL,
<code>password</code> varchar(255) default NULL,  -- PLAINTEXT!
<code>email</code> varchar(255) default NULL,
<code>rank</code> int(255) NOT NULL default '0',
<code>money</code> varchar(255) default '0',
<code>bullets</code> int(255) NOT NULL default '0',
<code>health</code> varchar(255) default '100',
<code>country</code> varchar(255) default 'Netherlands',
<code>crew</code> varchar(255) default 'None',
<code>jail</code> varchar(255) default NULL,
<code>on_hitlist</code> varchar(255) default NULL,
<code>ip</code> varchar(255) default NULL,
<code>power</code> varchar(255) default '0',
<code>oc</code> varchar(255) default '0',
<code>kills</code> varchar(255) default '0',
<code>death</code> varchar(255) default '0',
-- 30+ columns total
KEY <code>id</code> (<code>id</code>)
) TYPE=MyISAM;
<code></code>`

2. [land] (Property ownership)

CREATE TABLE <code>[land]</code> (
<code>owner</code> varchar(255) NOT NULL default '',
<code>id</code> int(255) NOT NULL default '0',
<code>type</code> int(255) NOT NULL default '0'
) TYPE=MyISAM;
-- 55 land plots initialized with owner='none'
INSERT INTO <code>[land]</code> VALUES ('none', 1, 0);
-- ... (55 rows)
<code></code>`

3. oc (Organized crimes)

CREATE TABLE <code>oc</code> (
<code>id</code> int(255) NOT NULL auto_increment,
<code>leader</code> varchar(255) default NULL,
<code>weapon_expert</code> varchar(255) default NULL,
<code>explosive_expert</code> varchar(255) default NULL,
<code>driver</code> varchar(255) default NULL,
<code>we</code> varchar(255) default NULL,  -- weapon type
<code>ee</code> varchar(255) default NULL,  -- explosive type
<code>location_oc</code> varchar(255) default NULL,
<code>oc_id</code> varchar(255) default NULL,
KEY <code>id</code> (<code>id</code>)
) TYPE=MyISAM;
<code></code>`

4. gta (Grand Theft Auto cars)

CREATE TABLE <code>gta</code> (
<code>id</code> int(255) NOT NULL auto_increment,
<code>type</code> int(255) default NULL,      -- car model
<code>damage</code> int(255) NOT NULL default '0',
<code>location_car</code> varchar(255) default NULL,
<code>owner_car</code> varchar(255) default NULL,
<code>original</code> varchar(255) default NULL,  -- origin country
<code>when</code> varchar(255) default NULL,      -- timestamp
<code>ship_time</code> varchar(255) default NULL, -- shipping ETA
KEY <code>id</code> (<code>id</code>)
) TYPE=MyISAM;
<code></code>`

5. crews (Gangs/families)

CREATE TABLE <code>crews</code> (
<code>id</code> int(255) NOT NULL auto_increment,
<code>crew_name</code> varchar(255) default NULL,
<code>crew_tag</code> varchar(255) default NULL,
<code>crew_boss</code> varchar(255) default NULL,
<code>members</code> varchar(255) default '0',
<code>money</code> varchar(255) default '0',
<code>applyer</code> varchar(255) default 'None',
KEY <code>id</code> (<code>id</code>)
) TYPE=MyISAM;
<code></code>`

6. hitlist (Assassination contracts)

CREATE TABLE <code>hitlist</code> (
<code>id</code> int(255) NOT NULL auto_increment,
<code>name</code> varchar(255) default NULL,
<code>prize</code> int(255) NOT NULL default '0',
<code>owner</code> varchar(255) default NULL,
KEY <code>id</code> (<code>id</code>)
) TYPE=MyISAM;
<code></code>`

7. booze (Commodity prices by country)

CREATE TABLE <code>booze</code> (
<code>Beer</code> varchar(255) default '0',
<code>Rum</code> varchar(255) default '0',
<code>Whiskey</code> varchar(255) default '0',
<code>Vodka</code> varchar(255) default '0',
<code>state</code> varchar(255) default NULL  -- country name
) TYPE=MyISAM;
-- 10 rows (one per country)
INSERT INTO <code>booze</code> VALUES ('5724', '467', '7953', '157', 'Netherlands');
-- ...
<code></code>`

8. blackjack (Casino games)

CREATE TABLE <code>blackjack</code> (
<code>id</code> int(255) NOT NULL auto_increment,
<code>better</code> varchar(255) default NULL,
<code>bet</code> int(255) NOT NULL default '0',
<code>state</code> varchar(255) default NULL,
<code>card1</code> varchar(255) default NULL,
<code>card2</code> varchar(255) default NULL,
KEY <code>id</code> (<code>id</code>)
) TYPE=MyISAM;
<code></code>`

Schema Issues:

• Excessive varchar(255): Money, rank, kills should be INT/BIGINT
• No foreign keys: MyISAM doesn't support them
• Timestamps as varchar: Should use DATETIME/TIMESTAMP
• No indexes on foreign key columns: Performance issues inevitable

Game Logic Algorithms

Organized Crime Flow (oc.php):

• Check if player already in OC → if yes, show current status
• Check cooldown timer → if active, deny with countdown
• Display available OC opportunities
• Player selects role (leader/weapon_expert/explosive_expert/driver)
• If leader:

a. Select OC target (location, type)

b. Create OC in database with leader name

• If specialist (weapon/explosive):

a. View pending OCs

b. Select equipment tier (1-3)

c. Join OC by filling role slot

• When all roles filled:

a. Calculate success chance based on equipment

b. Execute OC

c. Distribute rewards/penalties

d. Set cooldown timer

GTA Mechanics (gta.php):

• Steal car from location (garage/street/parking)
• Success/failure based on chance percentage
• If successful:

a. Car spawned in gta table with damage value

b. Car located in current country

• Player can:

a. Ship car to different country (10-minute timer)

b. Sell car for money (value based on damage)

• If car left in original country for 10+ minutes:

a. Auto-delete from database

b. Notification sent to player

Rank Progression (functions.php):

function RankMessage($old_rank, $new_rank, $receiver) {
// Compare old vs new rank
// If threshold crossed, send promotion message
// Inbox message inserted with rank name
}
// Called whenever player gains rank points
// Automatic message sent to player inbox
<code></code>`

---

The GangsterWar Connection

Evidence:

-- database.txt:1-3
------------------------------------------------
--  Credits to GangsterWar V1! Fixed By GaLiL --
------------------------------------------------
<code></code>`
This suggests a <strong>three-generation lineage:</strong>

• GangsterWar V1 (original game, unknown developer, ~2004?)
• GangsterWar V1 Fixed (GaLiL's database corrections, ~2004-2005?)
• Mob Star (J. Klompen's complete PHP rewrite, April 2005)

Hypothesis: GangsterWar V1 was an early mafia game with database design but poor implementation. "GaLiL" fixed the database schema, and J. Klompen used that schema to build entirely new PHP code, rebranded as "Mob Star" (or "Mafia Beta" in UI).

Timeline in Browser Gaming History

Pre-Mob Star Era (2003-2004):

• Text-based mafia games emerging
• GangsterWar V1 likely one of early examples
• Database-driven gameplay novel concept

Mob Star Release (April 2005):

• Same month as MetalMech v0.2.6
• Pre-dates MCCodes by 3 years (2008)
• Contemporary with mafia_warz

Post-Mob Star Era (2005-2008):

• Mafia game explosion
• Ravan Scripts commercializing engines
• MCCodes becomes dominant (2008-2015)

Comparison to Contemporaries

vs mafia_warz:

Verdict: Mob Star has better architecture (modular) but equivalent catastrophic security.

vs McCodes v2.0:

Lesson: MCCodes learned from disasters like Mob Star. By 2008, security awareness had improved significantly.

---

External Dependencies

None. Mob Star is entirely self-contained with zero external libraries.

PHP Extensions Required

// Implicit requirements:

• mysql extension (deprecated)
• gd library (for image processing, images/bars/)
• session support (though not used properly)

File System Requirements

Writable directories: None explicitly required
Image assets: images/ (115 GIF, 28 JPG, 51 PNM)
CSS: src/standard.css
<code></code>`

Database Requirements

-- MySQL 4.x or 5.x
-- MyISAM table type support
-- No foreign keys needed
-- No stored procedures
-- No triggers
-- ~30 tables to create
<code></code>`

Integration Complexity: LOW

Installation Steps (hypothetical, no installer provided):

• Create MySQL database
• Import database.txt
• Edit `_connect.php` with credentials
• Upload all files to web server
• Access index.php in browser

Pros:

• No composer/package manager
• No external APIs
• Single database import

Cons:

• No installation wizard
• Manual credential editing
• No configuration file separation
• Deprecated mysql_* functions (won't run on PHP 7+)

Deployment Requirements

• Linux/Windows server
• Apache with mod_php
• PHP 4.x - 5.6 (will NOT work on PHP 7.0+)
• MySQL 4.x - 5.x

Modern Deployment: IMPOSSIBLE without major rewrites

• mysql_* functions removed in PHP 7.0 (2015)
• Short PHP tags deprecated
• Cookie-based auth fails modern security standards
• No HTTPS enforcement
• No GDPR compliance

---

Completeness Score: 8/10 - Functionally Complete Beta

What's Present:

• Full source code (101 PHP files, 11,536 lines)
• Complete database schema (database.txt, 623 lines, 30 tables)
• All image assets (115 GIF, 28 JPG, 51 PNM)
• CSS styling (src/standard.css)
• Admin panel (6 admin files)
• All core systems functional

What's Missing:

• No documentation/README
• No installation wizard
• No configuration file (credentials hardcoded)
• No license file
• No changelog beyond admin-changelog.php

Playability Status:

Can Install:  YES (manual database import)
Can Register: YES (if _connect.php configured)
Can Login:    YES (cookie-based auth)
Can Play:     YES (all systems present)
Can Admin:    YES (admin panel exists)
Security Risk: EXTREME (would be hacked instantly if public)
<code></code>

Cultural Value: MEDIUM - Derivative but Representative

Historical Significance:

• GangsterWar Heritage: Documents evolution of early mafia game
• 2005 Snapshot: Shows typical security practices (or lack thereof) of era
• Pre-MCCodes: Important data point 3 years before industry standard
• ⚖️ Derivative Work: Not original, but represents common practice (forking/reskinning)

Comparative Value:

• Better architecture than mafia_warz (modular vs monolithic)
• Worse security than MCCodes (but 3 years earlier)
• Typical of 2005 amateur browser games
• Documents why MCCodes' security improvements were necessary

Restoration Difficulty: HIGH (Without Major Rewrites)

To Run on PHP 5.6 (last version supporting mysql_*):

Effort: LOW (4-8 hours)

• Configure _connect.php
• Import database.txt
• Fix file permissions
• Test features

To Run on PHP 7.x+:

Effort: VERY HIGH (80-120 hours)

• Replace ALL mysql_* with mysqli/PDO (101 files)
• Add prepared statements (prevent SQL injection)
• Fix short tags <? → <?php
• Implement proper session management
• Add input validation EVERYWHERE
• Implement password hashing
• Add CSRF protection
• Fix deprecated functions

To Meet Modern Security Standards:

Effort: EXTREME (200-300 hours)

• Complete authentication rewrite
• Sanitize ALL user input
• Implement output escaping
• Add HTTPS enforcement
• GDPR compliance (privacy policy, data export, deletion)
• Remove offensive content ("Retard car")
• Add rate limiting
• Implement CAPTCHA
• SQL injection prevention via prepared statements
• XSS prevention via Content Security Policy
• Fix rank system bug (459999 → 45999)

Comparative Rarity

In This Collection:

• Common: Mafia theme
• Common: PHP/MySQL stack
• Common: Catastrophic security (Mob Star, mafia_warz)
• Rare: GangsterWar derivative (first confirmed fork in collection)
• Rare: Modular frontend/backend separation

In Wild:

• GangsterWar V1 = possibly lost (no copies found in this collection)
• Mob Star = likely <50 copies worldwide
• Site (maffia.net.tc) = defunct (TLD .tc = Turks and Caicos, expired)
• Developer (This email address is being protected from spambots. You need JavaScript enabled to view it.) = no current web presence found

---

Overall Rating: 3/10 - Functional but Fatally Flawed

RATING BREAKDOWN:

STRENGTHS:

• Complete Feature Set
• 10+ game systems (crime, OC, GTA, crews, casino, hitlist, jail, travel, trading, banking)
• Admin panel with user management
• Forum and messaging systems
• Statistics tracking

• Modular Architecture
• Frontend/backend separation ([feature].php / _[feature].php)
• Better organized than monolithic alternatives (mafia_warz)
• Consistent naming convention

• GangsterWar Heritage
• Documents evolution of early mafia games
• Shows fork/derivative workflow common in 2005
• Database schema represents collaborative improvement

• Rich Game Mechanics
• Team-based organized crimes (4-player cooperation)
• Complex GTA system (damage, shipping, auto-return)
• 10-country travel system
• Rank progression with 12 tiers

WEAKNESSES:

• CATASTROPHIC SECURITY
• EXPOSED DATABASE PASSWORD in _connect.php
• SQL injection in 20+ files (direct $_GET/$_POST in queries)
• Plaintext password cookies (no hashing, no sessions)
• XSS everywhere (no output escaping)
• Deprecated mysql_* functions (removed PHP 7.0)

• Code Quality Issues
• No input validation anywhere
• Dutch/English mixing in variables
• Magic numbers (no constants)
• Offensive code ("Retard car")
• Error suppression (@) hiding failures
• Rank system bug (459999 vs 45999)

• No Documentation
• No README
• No installation guide
• No configuration file
• No API documentation
• Only inline comments

• Deployment Impossible (Modern PHP)
• Won't run on PHP 7.0+ (mysql_* removed)
• Requires PHP 5.6 or earlier (EOL 2018)
• No migration path without rewrites

Tier Classification: TIER 5 - Security Disaster, Functional Features

Comparison to Collection:

• Equal worst security: Mob Star (1/10) = mafia_warz (2/10)
• Better architecture: Mob Star (modular) > mafia_warz (monolithic)
• Lower completion: Mob Star (beta) < MCCodes (production)
• Historical significance: Mob Star (GangsterWar fork) vs MetalMech (Smarty pioneer)

Preservation Priority: MEDIUM

Justification:

• GangsterWar Heritage: Only documented evidence of GangsterWar V1 lineage
• 2005 Security Snapshot: Perfect example of pre-MCCodes security disaster
• Modular Architecture: Shows alternative to monolithic design
• Cautionary Tale: Demonstrates why frameworks like MCCodes were necessary

Ideal Use Cases (2024)

Educational Value:

• Security Training: Perfect example of what NOT to do
• SQL Injection Lab: Live examples of every vulnerability type
• Code Evolution: Compare 2005 (Mob Star) vs 2008 (MCCodes) security improvements
• Production Use: ABSOLUTELY NOT (would be compromised in minutes)

Historical Research:

• Browser Gaming Archaeology: Documents early mafia game evolution
• Fork/Derivative Workflow: Shows how games were built from others' schemas
• Pre-Framework Era: Example of ad-hoc development before standardization

Code Restoration:

• ⚠️ High Effort: 200-300 hours to modernize
• ⚠️ Limited Value: Features common to all mafia games
• Learning Project: Good rewrite challenge for students

The Mob Star Tragedy

Mob Star represents the typical 2005 browser game:

• 2004: GangsterWar V1 created (lost to history)
• 2004-2005: GaLiL fixes database ("Fixed By GaLiL")
• April 2005: J. Klompen rewrites PHP code, calls it Mob Star
• 2005-2006: Site runs at maffia.net.tc (domain now expired)
• 2007?: Site goes offline, code archived
• 2008: MCCodes releases with proper security, makes Mob Star obsolete
• 2024: Discovered in archive, preserved as historical artifact

The Lesson: Mob Star failed because security didn't matter until it did. In 2005, password exposure and SQL injection were common. By 2008, MCCodes raised the bar, and insecure games like Mob Star couldn't compete. The market enforced security standards that developers initially ignored.

Final Assessment

Technical Quality: 💀 Security Catastrophe (exposed password, SQL injection epidemic)

Feature Completeness: Fully Functional (all systems work if security ignored)

Historical Value: 📚 Medium (GangsterWar heritage, pre-MCCodes security example)

Playability: ⚠️ Beta Quality (works but would be instantly hacked if public)

Recommendation: PRESERVE as historical artifact of pre-framework mafia game development. Mob Star shows why MCCodes' security improvements were revolutionary. This is a textbook example of 2005-era security disasters that modern frameworks were built to prevent. The exposed password in _connect.php alone makes this a valuable teaching tool for "what never to do."

---

Archive Status: PRESERVED

Analyst Notes: This is the second-worst security disaster in collection (tied with mafia_warz). Database credits reveal GangsterWar V1 heritage, making this a derivative work rather than original creation. Modular architecture is superior to contemporaries, but catastrophic security (exposed credentials, epidemic SQL injection, plaintext cookies) makes it unusable in any production context. Valuable as historical artifact documenting pre-MCCodes security practices and fork/derivative workflow common in 2005. Developer's site (maffia.net.tc) defunct, email (This email address is being protected from spambots. You need JavaScript enabled to view it.) no current presence. Estimated <50 copies worldwide. CRITICAL WARNING: Never deploy this code publicly—it would be compromised in minutes.