NEAB Explorer

Title: NEAB Explorer v1.3.1

Full Name: Nowhere Else and Beyond Explorer Engine

Genre: Browser-Based 2D Fantasy RPG Engine / Toolkit

Release Date: 2005-2007

Version: 1.3.1 (mature release)

Developer: Alain Bertrand (aka "Garg")

Team: Sebastian Budijanto (QA, "Zorich"), Robert Smith (code contributor, "Papa See")

Website: http://www.nowhere-else.org (defunct)

Game Site: http://www.nowhere-else.org/engine (defunct)

License: Proprietary with Modification Rights

Project Status: Mature engine, stable release

Archive Structure:

      neab_explorer/
      └── NEAB Explorer/
      ├── install.txt       # Installation guide
      ├── license.txt       # License agreement
      ├── rpg_tables.sql    # Database schema (1,896 lines!)
      ├── docs/             # 118 .txt source documentation files
      └── neab/             # Main game directory
      ├── index.php            # Login/registration
      ├── game.php             # Main game engine (484 lines)
      ├── config/config.inc    # Database credentials
      ├── libs/                # Core utilities (1,297-line misc_util.php!)
      ├── admin_tools/         # 12 web-based admin tools
      ├── player_tools/        # Player features
      ├── locations/           # Game locations
      ├── locations_modules/   # Location type templates
      │   └── 2dmap/           # 2D tile map system with AJAX
      ├── combat/              # Combat system (739-line combats_util.php)
      ├── skills/              # Crafting, spells, harvesting
      ├── objects/             # Items
      ├── monsters/            # Enemy definitions
      ├── inventory/           # Inventory management
      ├── menu/                # Navigation
      └── maps/                # Map data

Historical Context:

NEAB Explorer represents professional browser RPG engine development circa 2005-2007. Unlike hobbyist projects (Mob Star, Mroczni Rycerze), this is a complete game creation toolkit designed for others to build games. The parent game "Nowhere Else and Beyond" (www.nowhere-else.org) was a live browser RPG that inspired this engine. Alain Bertrand created a commercial-grade engine with:

• Web-based admin tools (12 managers: dialog editor, map editor, quest manager, location manager, etc.)
• 2D tile-based maps with AJAX (JavaScript + PHP backend)
• Modular location system (developers can create custom location types)
• Quest/dialog system (branching conversations, variables, rewards)
• 118 documentation files in docs/ directory
• Professional team (developer, QA, contributors)

This is a true game engine. Previous entries were standalone games; NEAB Explorer is a platform for creating games.

---

Core Technologies

• Backend: PHP 4.x / PHP 5.x (auto-detects version)
• Database: MySQL 3.x+ (complex schema, 50+ tables)
• Frontend: HTML + CSS + JavaScript (AJAX-heavy)
• Database Abstraction: Custom ADODB emulation (2x faster than original)
• Session Management: Cookie-based auth (RPG cookie stores ID/username/password)
• JavaScript: Extensive use for 2D map, AJAX combat, dynamic UI

Architecture Innovation: Database Abstraction Layer

libs/db_conn.php:

      // Auto-detects PHP version and loads appropriate driver
      if((substr(phpversion(),0,1)+0) >= 5)
      include "$basedir/libs/db_conn_5.php"; // PHP 5 version
      else
      include "$basedir/libs/db_conn_4.php"; // PHP 4 version

Custom qstr() Method (SQL escaping):

      // libs/db_conn_4.php & db_conn_5.php
      function qstr($str) {
      return "'".mysql_real_escape_string($str,$this->conn)."'";
      }

Usage Pattern:

      // index.php:55 - PROPER SQL INJECTION PREVENTION
      $sql="SELECT ID,PASSWORD,ROLE,AUTHORIZED,HELPER
      FROM PLAYER
      WHERE USERNAME = ".$db->qstr(trim(stripslashes($_POST["USERNAME"])));

This game consistently use a database abstraction layer with escaping. The `$db->qstr()` method wraps mysql_real_escape_string() and is used extensively (30+ matches found).

Cookie-Based Authentication

index.php (login):

      // Store credentials in cookie
      setcookie("RPG",
      $res->fields[0]."/".                           // User ID
      urlencode(trim(stripslashes($_POST["USERNAME"])))."/". // Username
      urlencode(trim(stripslashes($_POST["PASSWORD"])))."/". // Password (PLAINTEXT!)
      "Y",                                           // Remember flag
      time()+3600<em>24</em>30                             // 30-day expiry
      );

game.php (auth check):

      if($_COOKIE["RPG"] != "") {
      $p=explode("/",$_COOKIE["RPG"]);
      $id=$p[0]+0;
      $username=urldecode($p[1]);
      $password=urldecode($p[2]); // PLAINTEXT PASSWORD IN COOKIE!
      $uservals=read_db_entry($db,"SELECT * FROM PLAYER WHERE ID = $id AND AUTHORIZED IN ('Y','-')");
      if(strtoupper($uservals["USERNAME"]) == strtoupper($username)
      && strtoupper($uservals["PASSWORD"]) == strtoupper($password))
      $userid=$uservals["ID"];
      }

CRITICAL SECURITY ISSUE: Passwords stored in plaintext in both:

• Database (PLAYER.PASSWORD VARCHAR(20) - no hashing!)
• Cookies (RPG cookie value visible in browser)

2D Map System with AJAX

Generic Map Architecture:

      Client Browser:
      ├── generic_map.php → Renders 7x7 tile view
      ├── map_script.js → JavaScript handles movement/combat
      └── AJAX calls to action_on_map.php
      ↓
      Server Backend:
      ├── action_on_map.php → Processes player actions
      ├── loadmap.php → Loads map data (516 lines!)
      └── map_util.php → Map utilities

AJAX Combat System (combats_util.php - 739 lines):

• Player clicks enemy on map
• JavaScript sends POST to game.php
• Combat engine calculates damage (stat-based + weapon modifiers)
• Returns HTML combat log via AJAX
• Updates player HP/MP in real-time

Code Statistics:

• Total Files: 3,539 files, 17.1 MB
• PHP/INC Files: 98 files, 17,035 lines
• Database Tables: 50+ tables (1,896-line SQL file!)
• HTML Documentation: 1,190 files (13.54 MB - generated docs)
• Images: 2,007 GIF + 9 PNG + 1 JPG (2.12 MB graphics)
• JavaScript: 7 .js files (0.08 MB)
• CSS: 4 files (normal.css, normal_ie.css, etc.)

Largest PHP Files

Average file size: 174 lines per PHP file (professional modularity).

---

Core RPG Systems

1. Character Stats (PLAYER table - 98 columns!)

      LEVEL INTEGER DEFAULT 1,
      EXPERIENCE BIGINT DEFAULT 0,
      DEXTERITY INTEGER DEFAULT 2,      -- Ranged attack, dodging
      STRONGNESS INTEGER DEFAULT 2,     -- Melee damage
      CHARISMA INTEGER DEFAULT 1,       -- NPC reactions, discounts
      INTELLIGENCE INTEGER DEFAULT 1,   -- Magic power, MP
      HP INTEGER DEFAULT 14,
      MAXHP INTEGER DEFAULT 14,
      MP INTEGER DEFAULT 10,
      MAXMP INTEGER DEFAULT 10,
      GOLD BIGINT DEFAULT 100,

2. Equipment System (11 slots)

      HAT INTEGER DEFAULT 501,
      ARMOR INTEGER DEFAULT 0,
      RING1 INTEGER DEFAULT 0,
      RING2 INTEGER DEFAULT 0,
      GLOVES INTEGER DEFAULT 0,
      PANTS INTEGER DEFAULT 536,
      SHOES INTEGER DEFAULT 514,
      CAPE INTEGER DEFAULT 0,
      SHIELD INTEGER DEFAULT 0,
      WEAPON INTEGER DEFAULT 10,

3. Character Schools (Classes)

      SCHOOL CHAR(1) BINARY,
      -- Values: 'B' = Barbarian, 'C' = Archer/Crossbowman, 'M' = Mage

School Special Abilities:

• Barbarian (B): FURY mode (sacrifice HP for massive attack)
• Archer (C): MARKSMAN (precision shot, uses arrows)
• Mage (M): DECAPITATE (instant kill chance, high MP cost)

4. Combat System (combats_util.php)

Stat-Based Calculation:

      // Attacker damage
      $attackval = $uservals["ATTACK"] + $uservals["COMBATSTR"]
      + ($uservals["DEXTERITY"] * $uservals["COMBATDEX"]);
      // Defender protection
      $protval = $monster["PROTECTION"] + ($monster["DEXTERITY"] * $block);
      // Final damage
      $dmg = max(1, $attackval - $protval) + weapon_damage;

Combat Actions:

• ATTACK - Standard melee/ranged attack
• DRINK - Use potion (healing, stat boost, temporary effects)
• SPELL - Cast magic (damage, healing, debuffs)
• FLEE - Escape combat (success based on dexterity)
• FURY / MARKSMAN / DECAPITATE - School-specific abilities

5. Quest System (quests_util.php - 806 lines)

Dialog-Driven Quests:

      CREATE TABLE DIALOGS(
      LOCATION INTEGER,
      NPC VARCHAR(100),              -- NPC name
      DIALOGID INTEGER,              -- Dialog tree node
      CONTENT TEXT,                  -- Dialog text
      DOCODE TEXT                    -- PHP code to execute
      );
      CREATE TABLE DIALOGLINKS(
      NPC VARCHAR(100),
      DIALOGFROM INTEGER,            -- Source dialog node
      LINKTEXT VARCHAR(200),         -- Choice text ("Accept quest")
      DIALOGTO INTEGER,              -- Target dialog node
      IFCODE TEXT                    -- Condition code
      );

Branching Conversations:

• Player talks to NPC
• System displays DIALOGS.CONTENT text
• Shows DIALOGLINKS choices (filtered by IFCODE conditions)
• Clicking choice executes DOCODE (give items, XP, gold)
• Advances to DIALOGTO dialog node

Quest Variables:

      CREATE TABLE QUESTVARIABLES(
      USERID INTEGER,
      QUESTID INTEGER,
      VARID INTEGER,
      VALUE TEXT
      );

Tracks quest progress (e.g., "wolves_killed = 5/10").

6. Crafting System (multiple skills)

Skills Implemented:

• CRAFT_OBJECTS - Create items from components (blacksmithing)
• COOK_OBJECTS - Prepare food (cooking)
• CAST_SPELL - Magic spell casting
• WOODCUTTING - Gather wood resources
• HARVEST - Gather plants/herbs
• EXTRACT - Mine ores/gems
• REPAIR - Fix damaged equipment
• RECYCLE - Break items into components

Crafting Formula System:

      CREATE TABLE OBJECT_FORMULA(
      OBJECTID INTEGER,              -- Output item
      NBITEMS INTEGER,               -- Quantity needed
      ITEM INTEGER,                  -- Input item
      TYPE VARCHAR(1)                -- 'O' = object, 'T' = tool
      );

Example: Sword = 3x Iron Bar + 1x Hammer (tool)

7. Inventory System (inventory.php - 612 lines)

Features:

• Quick inventory - Hotbar for 10 items (stored in QUICKINVENTORY VARCHAR)
• Mini inventory - Alternate hotbar
• Main inventory - Full item list
• Object usage - Equip, consume, sell, drop
• Stackable items - Same item types merge

8. 2D Map Exploration (generic_map.php)

Map System:

• 7x7 tile view (player in center)
• Click-to-move navigation
• Random monster encounters (probability-based spawns)
• Interactive objects (chests, trees, rocks)
• PvP zones (player vs player combat)
• Minimap (shows explored area)

Tile Types:

      CREATE TABLE MAP_TILES(
      MAPID INTEGER,
      X INTEGER,
      Y INTEGER,
      TILEID INTEGER,                -- Background tile (grass, water, etc.)
      OBJECTID INTEGER,              -- Foreground object (tree, rock, chest)
      WALKABLE CHAR(1)               -- 'Y' or 'N'
      );

9. Arena System (PvP)

      ARENAPOINTS INTEGER DEFAULT 0,   -- Ranking points
      ARENAFREEZE INTEGER DEFAULT 0,   -- Stun duration
      ARENAPOTION INTEGER DEFAULT 0,   -- Potion restrictions

10. Pet System

      CREATE TABLE PLAYER_PETS(
      USERID INTEGER,
      PETID INTEGER,
      FOOD DOUBLE DEFAULT 100,       -- Hunger level
      HAPPY DOUBLE DEFAULT 100,      -- Happiness level
      HEALTH INTEGER,
      LEVEL INTEGER
      );

11. Medal System (Achievements)

      CREATE TABLE MEDALS(
      ID INTEGER,
      NAME VARCHAR(100),
      DESC TEXT,
      ICONID INTEGER
      );
      CREATE TABLE PLAYER_MEDALS(
      USERID INTEGER,
      MEDALID INTEGER,
      AWARDED TIMESTAMP
      );

12. Mail System (misc_util.php)

Email Notifications:

      // misc_util.php:502 - sends email when player receives in-game mail
      mail($email,"NEAB Post office: $subject",
      "You received a new message in your NEAB accountnn
      http://www.nowhere-else.orgnJoin the community!",
      "From: ".$from);

In-Game Messages:

      CREATE TABLE PLAYER_MESSAGES(
      FROMPLAYER INTEGER,
      INBOXOF INTEGER,
      SUBJECT VARCHAR(200),
      MESSAGE TEXT,
      MSGTYPE INTEGER,               -- 1=inbox, 2=sent
      STATUS CHAR(1),                -- 'R'=read, 'N'=new
      GOLD INTEGER DEFAULT 0,        -- Attached gold
      RENT INTEGER DEFAULT 0         -- Rental fee
      );

Mail can include:

• Text message
• Gold transfer
• Item attachments (stored in separate table)
• Rental requests

---

Security Score: 7/10 - Best Security in Collection (Games 1-43)

MAJOR IMPROVEMENTS:

1. Database Abstraction with Escaping ($db->qstr())

      // GOOD: Consistent use throughout codebase
      $sql="SELECT ID FROM PLAYER WHERE USERNAME = ".$db->qstr($_POST["USERNAME"]);

Found 30+ instances of $db->qstr() usage. This is the first game to use database abstraction consistently.

2. Input Casting (Integer Sanitization)

      // GOOD: Cast to integer before using in SQL
      $id = $_GET["ARROW"]+0;  // Forces integer conversion
      $page = $_GET["PAGE"]+0;

3. URL Tampering Detection (game.php)

      if($_SERVER["HTTP_HOST"] != "localhost"
      && count($_GET) > 0
      && check_cert() == false)
      {
      echo "Tried to fake the URL.";
      exit;
      }

Uses `$gamecert` hash in config.inc to validate GET parameters (prevents URL manipulation).

4. Error Handling (custom handler)

      function game_error_handling($errno, $errmsg, $filename, $linenum, $vars) {
      if($errno == 8 || $errno == 2048) return; // Ignore notices
      include "libs/handle_error.php";
      }
      set_error_handler("game_error_handling");

5. Admin IP Logging

      CREATE TABLE ADMIN_LOG(
      USERID INTEGER,
      IP VARCHAR(15),
      WHEN TIMESTAMP
      );

Tracks admin actions with IP addresses.

6. Cross-Exploit Detection

      CREATE TABLE CROSS_EXPLOIT(
      FROMPLAYER INTEGER,
      TOPLAYER INTEGER,
      MESSAGE TEXT
      );

Logs suspicious transactions (same IP accounts trading items/gold).

CRITICAL VULNERABILITIES:

1. PLAINTEXT PASSWORD STORAGE

      -- rpg_tables.sql:14
      PASSWORD VARCHAR(20),  -- NO HASHING!
      -- Default accounts:
      INSERT INTO PLAYER(...,USERNAME,PASSWORD,...) VALUES(...,'admin','admin',...);
      INSERT INTO PLAYER(...,USERNAME,PASSWORD,...) VALUES(...,'player','player',...);

Passwords stored in plaintext:

• Database stores plaintext
• Cookie stores plaintext (`RPG=1/admin/admin/Y`)
• No MD5, no bcrypt, no hashing whatsoever

2. Cookie-Based Auth with Plaintext Credentials

      // game.php:66
      $password=urldecode($p[2]); // Extract plaintext password from cookie

Anyone with cookie access = full account access.

3. No CSRF Protection

• No tokens in forms
• All POST/GET actions vulnerable to cross-site request forgery

4. XSS Still Possible

      // stripslashes() used but minimal htmlspecialchars()
      // User input can contain JavaScript in many places

5. Eval() Usage (Quest System)

      // quests_util.php - EXECUTES USER-DEFINED CODE!
      $code = 'if ('.$r->fields[1].') $res=true;';
      eval($code);  // IFCODE from DIALOGLINKS table

Quest editors can inject PHP code. While admin-only, this is dangerous if admin accounts compromised.

6. Deprecated mysql_* Functions

• All queries use mysql_* (removed PHP 7.0)
• No mysqli or PDO

7. Some Integer Casting Missing

      // combats_util.php:63 - DOES cast to int
      $id=$_GET["DRINKID"]+0;
      // But other places may miss casting

Comparison to Previous Games

NEAB Explorer has the BEST SQL injection prevention (database abstraction) but WORST password security (plaintext everywhere).

---

Code Quality Score: 8/10 - Professional Engineering

STRENGTHS:

1. Modular Architecture

      neab/
      ├── libs/              # Core utilities (reusable functions)
      ├── admin_tools/       # Web-based admin panels (12 tools)
      ├── player_tools/      # Player features
      ├── locations_modules/ # Location type templates
      ├── combat/            # Combat system
      └── skills/            # Crafting/gathering systems

Each module is self-contained with clear separation of concerns.

2. Database Abstraction Layer

      // db_conn.php - Auto-detects PHP version
      if((substr(phpversion(),0,1)+0) >= 5)
      include "db_conn_5.php";
      else
      include "db_conn_4.php";

Custom ADODB emulation:

• `Execute()` - Run query, return recordset
• `qstr()` - Escape string
• `MoveNext()` - Advance recordset
• `Close()` - Free resources

Claims to be "2x faster than ADODB."

3. Comprehensive Documentation

      docs/
      ├── skills/                    # 14 skill system docs
      ├── admin_tools/               # 12 admin tool docs
      │   ├── quest_manager/
      │   ├── dialog_editor/
      │   ├── location_manager/
      │   └── ...
      └── player_tools/              # Player feature docs

118 .txt files with source code explanations (1,190 HTML files in total).

4. Professional Comments

      /<em></em>
<ul>
          <li><i class="fa fa-file-code-o"></i> Emulate ADODB (min) functionalities and at the same time be 2x as fast</li>
          <li><i class="fa fa-file-code-o"></i> Code used for PHP 4.X</li>
</ul>

      */

PHPDoc-style comments throughout codebase.

5. Error Handling

      set_error_handler("game_error_handling");
      // Custom handler logs errors, prevents info leakage

6. Activity Tracking

      CREATE TABLE ACTIVEPLAYER(
      USERID INTEGER,
      YEAR INTEGER,
      MONTH INTEGER,
      DAY INTEGER,
      HOUR INTEGER
      );

Tracks player activity by hour (analytics system).

7. Performance Optimization

      // game.php:19 - Microsecond timing
      $execstart=getmicrotime();
      // ... page execution ...
      // End of page: show execution time

8. Browser Compatibility

      normal.css       # Standard CSS
      normal_ie.css    # Internet Explorer fixes

Separate IE stylesheet (remember IE6-8 quirks in 2005-2007).

9. AJAX Integration

      // map_script.js - handles 2D map movement
      // Calls action_on_map.php via XMLHttpRequest

Advanced for 2007: AJAX was cutting-edge then.

10. Caching System

      // store_cache.php - Serves cached images
      if($_GET["OBJ"] != "")
      $_SERVER["PATH_INFO"]="/".$_GET["OBJ"];

WEAKNESSES:

1. Plaintext Passwords

      PASSWORD VARCHAR(20)  -- Should be hashed

Major architectural flaw.

2. Cookie-Based Auth

      // Should use sessions, not cookies with passwords
      setcookie("RPG",$id."/".$username."/".$password."/Y");

3. Eval() in Quest System

      eval($code);  // DANGEROUS!

4. Large Function Files

      misc_util.php:     1,297 lines
      combats_util.php:    739 lines
      quests_util.php:     806 lines

Should be broken into smaller files.

5. No Unit Tests

• No automated testing
• Quality assurance relies on manual testing

6. Deprecated MySQL Functions

      mysql_connect()
      mysql_query()
      mysql_fetch_array()

All removed in PHP 7.0.

7. Magic Numbers

      if($difftime < 5*60) // Why 5 minutes? No constant

8. Inconsistent Naming

      -- Database uses UPPERCASE table names
      CREATE TABLE PLAYER(...)
      -- PHP uses lowercase/camelCase
      $uservals, $db, $userid

---

Database Schema (rpg_tables.sql - 1,896 lines!)

50+ Tables:

Core Player System:

• `PLAYER` (98 columns!) - Player accounts
• `PLAYER_COMBAT` - Combat state
• `PLAYER_MEDALS` - Achievements
• `PLAYER_PETS` - Pet ownership
• `PLAYER_LINKS` - Friend system
• `ACTIVEPLAYER` - Activity log
• `ADMIN_LOG` - Admin action log

Inventory & Items:

• `INVENTORY` - Player inventory
• `OBJECTS` - Item definitions (weapons, armor, potions, materials)
• `USED_OBJECTS` - Currently equipped items
• `OBJECT_FORMULA` - Crafting recipes
• `OBJECT_TYPE_CODE` - Item categories

Quests & Dialogs:

• `QUESTS` - Quest definitions
• `QUESTVARIABLES` - Quest state tracking
• `FINISHEDQUESTS` - Completed quests
• `AVAILABLE_QUESTS` - Active quests
• `DIALOGS` - NPC dialog text
• `DIALOGLINKS` - Dialog tree branches
• `DIALOGCODE` - Dialog execution code
• `DIALOGIF` - Dialog conditions
• `DIALOGACCESS` - Dialog prerequisites
• `JOURNAL` - Quest journal entries

Maps & Locations:

• `LOCATIONS` - Game locations
• `MAPS` - Map metadata
• `MAP_TILES` - Tile data (X, Y, background, foreground)
• `MAP_MONSTERS` - Monster spawn points
• `PLAYER_MAP` - Player-created maps
• `DUNGEON_MAP` - Instanced dungeon maps
• `DUNGEON_LINKS` - Dungeon connections

Combat & Monsters:

• `MONSTERS` - Monster definitions
• `POTION_EFFECTS` - Temporary stat buffs
• `SPELLBOOK` - Player spells
• `TABLE_HUNTING` - Hunting activities
• `TABLE_ACTIONS` - Combat actions
• `ACTION_TYPES` - Action definitions

Social & Economy:

• `PLAYER_MESSAGES` - Mail system
• `THIEFS` - Theft records
• `PICKPOCKETS` - Pickpocket log
• `CROSS_EXPLOIT` - Multi-account exploit detection
• `MEDALS` - Achievement definitions

Analytics:

• `MONTHACTIV` - Monthly activity stats (31 columns for days!)
• `MAXDATA` - Peak statistics

Complex Data Structures

1. PLAYER Table (98 columns!)

      CREATE TABLE PLAYER(
      -- Identity (6)
      ID, CREATED, AUTHORIZED, USERNAME, PASSWORD, EMAIL,
      -- Stats (19)
      LEVEL, EXPERIENCE, DEXTERITY, STRONGNESS, CHARISMA, INTELLIGENCE,
      HP, MAXHP, MP, MAXMP, SICKNESS, INVISIBILITY, TITLE, ALIGNEMENT,
      ATTACK, PROTECTION, DEXMOD, STRMOD, CHAMOD,
      -- Equipment (11)
      HAT, ARMOR, RING1, RING2, GLOVES, PANTS, SHOES, CAPE, SHIELD, WEAPON,
      -- Combat (9)
      MONSTERCOMBAT, MONSTERHP, BLOCK, COMBATPROT, COMBATDEX, COMBATSTR,
      COMBATSYSTEM, COMBATX, COMBATY,
      -- Economy (3)
      GOLD, BOUNTY, RENT,
      -- Location (5)
      LOCATION, SUBLOC, MAPX, MAPY, ONFINISH,
      -- Arena (3)
      ARENAPOINTS, ARENAFREEZE, ARENAPOTION,
      -- Status (10)
      FREEZE, HUNGRY, LASTCOMMAND, LASTACTION, ROLE, PHPPAGE, MSGSTATUS,
      PVP, CHATBAN, AWAY,
      -- UI Preferences (10)
      NEWSLETTER, CHATSOUND, HELPER, QUICKINVENTORY, SCHOOL, SEX,
      PREVDIALOG, IMAGEQUALITY, FULLSCREEN, MINIINVENTORY,
      -- Pets (1)
      DEFPET,
      -- Stats Tracking (7)
      LASTEXP, LASTLEVEL, TIMEPLAYED, IP, MAILNOTIFY, JAVACHAT, GUIBLOCKED,
      -- Unused (5)
      ICONID, HPMOD, MPMOD, INTMOD, POPIN, SIGNEDJAVA, RESURECT
      );

Most complex player table in any game analyzed (1-43).

2. Quest Dialog System

Dialog Tree Structure:

      NPC: "Hello, traveler!"
      ├─ [Choice 1: "Who are you?"] → Dialog ID 2
      │  └─ NPC: "I'm the blacksmith." → Dialog ID 3
      │     └─ [Choice: "Can you craft me a sword?"] → Quest starts
      ├─ [Choice 2: "I need a quest."] → Dialog ID 4
      │  └─ NPC: "Kill 10 wolves." → Quest given
      └─ [Choice 3: "Goodbye."] → Dialog ends

Implemented via:

• `DIALOGS` table stores NPC text
• `DIALOGLINKS` table stores choices
• `IFCODE` column filters choices (e.g., `$uservals["LEVEL"] >= 5`)
• `DOCODE` column executes actions (e.g., `give_item(123, 1);`)

3. Crafting Formula System

Example: Iron Sword

      -- Output: Iron Sword (ID 100)
      INSERT INTO OBJECT_FORMULA VALUES(100, 3, 50, 'O'); -- 3x Iron Bar
      INSERT INTO OBJECT_FORMULA VALUES(100, 1, 200, 'T'); -- 1x Hammer (tool)

'O' = Object (consumed), 'T' = Tool (reusable)

4. Map Tile Data

7x7 View:

      [Grass][Grass][Tree ][Grass][Grass][Water][Water]
      [Grass][Rock ][Grass][Grass][Grass][Water][Water]
      [Tree ][Grass][Grass][Player][Grass][Grass][Water]
      [Grass][Grass][Grass][Chest][Grass][Tree ][Grass]
      [Grass][Enemy][Grass][Grass][Grass][Grass][Grass]
      [Water][Water][Grass][Grass][Tree ][Grass][Grass]
      [Water][Water][Grass][Grass][Grass][Grass][Tree ]

Each cell has:

• `TILEID` (background: grass, water, dirt)
• `OBJECTID` (foreground: tree, rock, chest, enemy)
• `WALKABLE` (Y/N - can player enter?)

---

Browser RPG Engine Market (2005-2007)

Context:

• Standalone games dominated: MCCodes (2008), mafia games, basic RPGs
• Engine marketplace rare: Most developers built from scratch
• NEAB Explorer pioneer: One of few complete game creation toolkits

Similar Engines (2005-2007):

• Legend of the Green Dragon (LotGD) - Text-based dragon slaying (open source)
• phpRPG - Basic RPG framework
• NEAB Explorer - Full 2D tile-based with AJAX (more advanced)

NEAB Explorer Innovation:

• Visual editors: Dialog editor, map editor, location manager (web-based)
• AJAX combat: Real-time combat without page refreshes (cutting-edge in 2007)
• Modular location system: Developers can create custom location types
• Quest scripting: PHP code execution in dialogs (powerful but dangerous)

Timeline Position

Pre-NEAB Explorer:

• 2005: Mob Star - Basic mafia game, 1/10 security
• 2007: Mroczni Rycerze - Polish RPG, router pattern, 4/10 security
• 2008: MCCodes - Mafia game engine, 7/10 security

NEAB Explorer (2005-2007):

• Better architecture than earlier games (abstraction layer, modular design)
• Worse password security than MCCodes (plaintext vs hashed)
• Most advanced features (2D maps, AJAX, visual editors)

Post-NEAB Explorer:

• 2008+: Browser RPG engines became more common
• 2010s: HTML5 canvas replaced tile-based maps
• 2015+: WebGL 3D games emerged

Comparison to Contemporaries

vs MCCodes (Game 39, 2008):

vs Mroczni Rycerze (Game 42, 2007):

Lesson: NEAB Explorer represents professional game engine development vs hobbyist standalone games. The scale difference is dramatic (17k vs 1.7k lines).

---

External Dependencies

None. Completely self-contained.

PHP Extensions Required

<ul>
          <li><i class="fa fa-database"></i> mysql extension (deprecated, removed PHP 7.0)</li>
          <li><i class="fa fa-caret-right"></i> GD library (image manipulation)</li>
          <li><i class="fa fa-caret-right"></i> session support (built-in)</li>
          <li><i class="fa fa-caret-right"></i> error_reporting (E_ALL ^ (E_WARNING | E_NOTICE))</li>
</ul>

Database Requirements

      -- MySQL 3.x or above
      -- MyISAM engine (all tables)
      -- 50+ tables (1,896-line SQL file)
      -- ~500 KB database size (empty)
      -- ~50 MB with game content (maps, monsters, items, quests)

Installation Complexity: MEDIUM

Install Process (install.txt):

<ul>
          <li><i class="fa fa-database"></i> Create MySQL database</li>
          <li><i class="fa fa-database"></i> Import rpg_tables.sql (1,896 lines)</li>
          <li><i class="fa fa-caret-right"></i> Copy neab/ directory to web root</li>
          <li><i class="fa fa-cog"></i> Edit config/config.inc:</li>
          <li><i class="fa fa-database"></i> $dbuser = database username</li>
          <li><i class="fa fa-exclamation-triangle"></i> $dbpass = database password</li>
          <li><i class="fa fa-database"></i> $dbname = database name</li>
          <li><i class="fa fa-gamepad"></i> $gamecert = random hash (for URL validation)</li>
          <li><i class="fa fa-gamepad"></i> $gametitle = your game name</li>
          <li><i class="fa fa-file-code-o"></i> Access index.php</li>
          <li><i class="fa fa-exclamation-triangle"></i> Login with admin/admin (default credentials)</li>
          <li><i class="fa fa-exclamation-triangle"></i> Change admin password immediately</li>
</ul>

Pros:

• Complete documentation (install.txt)
• Single SQL file (no migrations)
• Default accounts included (admin/admin, player/player)
• Visual admin tools (no SQL knowledge needed)

Cons:

• No installation wizard (manual config edit)
• Default passwords insecure (admin/admin)
• No database validation (fails silently if wrong credentials)
• Requires Apache + PHP + MySQL knowledge

Deployment Requirements

      LAMP Stack:
<ul>
          <li><i class="fa fa-caret-right"></i> Linux/Windows server</li>
          <li><i class="fa fa-caret-right"></i> Apache with mod_rewrite (optional)</li>
          <li><i class="fa fa-caret-right"></i> PHP 4.x or 5.x (will NOT work on PHP 7.0+)</li>
          <li><i class="fa fa-database"></i> MySQL 3.x-5.x</li>
          <li><i class="fa fa-caret-right"></i> 50 MB disk space (minimum)</li>
          <li><i class="fa fa-caret-right"></i> GD library for image manipulation</li>
</ul>

Modern Deployment: IMPOSSIBLE without rewrites

• mysql_* functions removed PHP 7.0 → Must rewrite all database calls
• Plaintext passwords → Must implement hashing
• Cookie auth → Must switch to sessions
• eval() usage → Must sanitize quest code
• No prepared statements → Must rewrite SQL

Estimated rewrite effort: 200-300 hours (massive codebase).

---

Completeness Score: 9/10 - Fully Functional Engine

What's Present:

• Full source code (98 PHP files, 17,035 lines)
• Database schema (rpg_tables.sql, 1,896 lines, 50+ tables)
• All images (2,007 GIF + 9 PNG + 1 JPG)
• JavaScript files (7 .js files for AJAX/maps)
• CSS stylesheets (4 files)
• Comprehensive documentation (118 .txt docs)
• Installation guide (install.txt)
• License agreement (license.txt)
• Default game content (maps, monsters, items, quests)
• Admin tools (12 visual editors)
• Default accounts (admin/admin, player/player)

What's Missing:

• No sample game deployment (only engine)
• No video tutorials
• No English community documentation (code comments minimal)

What's Broken:

• ⚠️ Plaintext passwords (architectural flaw)
• ⚠️ Deprecated mysql_* functions (PHP 7.0+ incompatible)
• ⚠️ No modern PHP support

Playability Status:

      Can Install:         YES (if PHP 5.6 available)
      Can Register:        YES
      Can Login:           YES (default: admin/admin)
      Can Explore Maps:    YES
      Can Combat:          YES
      Can Quest:           YES
      Can Craft:           YES
      Can Admin:           YES (12 visual tools)
      Can Run on PHP 7+:   NO (requires full rewrite)

Cultural Value: HIGH - Pioneer Browser RPG Engine

Historical Significance:

• First complete game engine in collection (games 1-43)
• AJAX pioneer (cutting-edge 2005-2007 web tech)
• Visual admin tools (rare for era)
• Dialog tree scripting (sophisticated quest system)
• Database abstraction (professional architecture)
• International team (Alain Bertrand, Sebastian Budijanto, Robert Smith)

Comparative Rarity:

• Unique: Only complete game engine in 43-game collection
• Rare: 2D tile-based AJAX maps (most games text-based)
• Common: PHP/MySQL stack
• Rare: 1,896-line SQL schema (most games <100 tables)
• Unique: eval() quest scripting (powerful but dangerous)

In Wild:

• www.nowhere-else.org = defunct (domain parked)
• "NEAB Explorer" Google results = minimal
• "Nowhere Else and Beyond" = few references
• Estimated copies worldwide: <50 (very rare engine)

Restoration Difficulty: VERY HIGH

To Run on PHP 5.6:

Effort: LOW (4-8 hours)

Edit config/config.inc with database credentials
Import rpg_tables.sql
Change admin password
Test all features

To Run on PHP 7.x+:

Effort: EXTREME (200-300 hours)

Replace ALL mysql_* with mysqli/PDO (98 files!)
Add password hashing (bcrypt)
Switch cookie auth to sessions
Remove eval() from quest system (security risk)
Add prepared statements (SQL injection prevention)
Fix deprecated PHP features (each(), create_function(), etc.)
Test 50+ database tables
Test 12 admin tools
Test all player features

To Modernize (2024 standards):

Effort: EXTREME (500+ hours = complete rewrite)

Framework migration (Laravel, Symfony)
API-based architecture (REST/GraphQL)
Modern frontend (React, Vue)
WebSockets for real-time (replace AJAX)
Canvas/WebGL for 2D maps
Docker deployment
Unit tests
Security audit

Comparative Rarity

In This Collection (Games 1-43):

• Unique: Only game engine (all others standalone games)
• Unique: 2D AJAX maps
• Unique: Visual admin tools (12 editors)
• Rare: 17k+ lines (3rd largest after likely MCCodes and others)
• Common: PHP/MySQL stack
• Unique: Dialog tree scripting with eval()

In Wild:

• Extremely Rare: <50 estimated copies
• Lost: Original www.nowhere-else.org site defunct
• Undocumented: No community preservation efforts
• Unique Architecture: Database abstraction + AJAX maps rare for 2005-2007

---

Overall Rating: 8/10 - Professional Game Engine, Plaintext Flaw

RATING BREAKDOWN:

STRENGTHS:

• Database Abstraction Layer
• Custom ADODB emulation (2x faster claimed)
• Consistent $db->qstr() usage (30+ instances)
• Good SQL injection prevention
• PHP 4.x / 5.x auto-detection

• Professional Architecture
• Modular design (libs/, admin_tools/, player_tools/, locations_modules/)
• Separation of concerns (utilities, combat, quests, maps separate)
• Error handling (custom handler)
• Activity tracking (analytics)

• Advanced Features (2005-2007)
• 2D tile-based AJAX maps (click-to-move, real-time combat)
• Visual admin tools (12 web-based editors)
• Dialog tree system (branching conversations with variables)
• Crafting recipes (formula system with tools)
• Pet system (hunger, happiness, leveling)
• Medal achievements
• Mail with attachments (gold, items)

• Comprehensive Documentation
• 118 .txt source documentation files
• install.txt (installation guide)
• license.txt (usage terms)
• PHPDoc-style comments

• Complete Game Engine
• Not a game, but a toolkit for creating games
• Default content included (maps, monsters, items, quests)
• Default accounts (admin/admin, player/player)
• Visual editors (no code knowledge needed)

• AJAX Innovation
• XMLHttpRequest for map movement (2005-2007!)
• Real-time combat updates
• No page refreshes
• JavaScript + PHP backend

WEAKNESSES:

• CRITICAL: Plaintext Password Storage
• Database stores plaintext passwords (VARCHAR(20))
• Cookies store plaintext passwords (RPG=1/admin/admin/Y)
• No hashing: no MD5, no bcrypt, nothing
• Default accounts: admin/admin, player/player (insecure)
• Worst password security in collection

• Cookie-Based Authentication
• Should use sessions, not cookies
• Password exposed in browser cookies
• Anyone with cookie = full account access

• Eval() Usage
• Quest system executes arbitrary PHP code (eval($code))
• Admin-created quests can inject malicious code
• Dangerous if admin accounts compromised

• Deprecated PHP
• mysql_* functions (removed PHP 7.0)
• Won't run on modern PHP
• 200-300 hour rewrite needed

• No CSRF Protection
• All forms vulnerable to cross-site request forgery
• No tokens

• Large Function Files
• misc_util.php (1,297 lines)
• Should be broken into smaller modules

• XSS Still Possible
• stripslashes() used but minimal htmlspecialchars()
• User input can contain JavaScript

Tier Classification: TIER 1 - Professional Game Engine

Comparison to Collection:

• Better than: other standalone - this is an engine, not a game
• Better than: MCCodes - more advanced features (AJAX maps, visual editors)
• Worse than: None yet (first Tier 1 game)
• Unique: Complete game engine

Preservation Priority: CRITICAL / MAXIMUM

Justification:

• Unique Artifact: Complete game engine
• Technical Innovation: AJAX maps + visual editors (2005-2007 cutting-edge)
• Professional Engineering: Database abstraction, modular architecture, 118 docs
• Cultural History: Documents browser RPG engine development era
• Extreme Rarity: <50 copies estimated, original site defunct
• Educational Value: Shows professional game development patterns 2005-2007

Ideal Use Cases (2024)

Educational Value:

• Software Architecture Study: Database abstraction, modular design
• Security Case Study: SQL injection prevention (good) vs plaintext passwords (bad)
• Historical Web Tech: AJAX usage in 2005-2007 era
• Game Engine Design: How to build modular game toolkit
• Quest System Design: Dialog tree scripting patterns

Historical Research:

• Browser RPG Evolution: Engine marketplace development
• AJAX Adoption: Early XMLHttpRequest usage
• Visual Tooling: Web-based game editors (pre-modern frameworks)
• PHP 4.x/5.x Era: Auto-detection patterns

Restoration Projects:

• ⚠️ Extreme Effort: 200-300 hours for PHP 7+ compatibility
• ⚠️ Security Overhaul: Must implement password hashing
• Cultural Preservation: Document AJAX + visual editor innovation
• Code Study: Professional architecture patterns

The NEAB Explorer Story

NEAB Explorer represents professional browser RPG engine development before modern frameworks:

• 2005: Alain Bertrand creates "Nowhere Else and Beyond" browser RPG
• 2005-2007: Develops NEABExplorer engine (extracts gameplay systems)
• v1.3.1: Mature release with AJAX maps, 12 visual editors, 50+ database tables
• Team: Sebastian Budijanto (QA), Robert Smith (contributor)
• Innovation: 2D tile-based AJAX maps (cutting-edge for 2007)
• Architecture: Database abstraction layer (professional pattern)
• Fatal Flaw: Plaintext password storage (massive oversight)
• 2010?: www.nowhere-else.org goes offline
• 2024: Discovered in archive, recognized as unique game engine artifact

The Lesson: Professional architecture doesn't guarantee security. NEAB Explorer has the best SQL injection prevention (database abstraction with qstr()) but the worst password security (plaintext everywhere) of any game analyzed. This demonstrates that security requires holistic thinking, not just individual best practices. The eval() quest system shows the danger of powerful features without safeguards—admin-created quests can execute arbitrary PHP code.

The Innovation: AJAX maps in 2005-2007 were revolutionary. Modern developers take real-time updates for granted, but NEAB Explorer pioneered XMLHttpRequest-based gameplay when most browser games still used full page refreshes. The visual admin tools (12 web-based editors) anticipated modern game engines (Unity, Unreal, Godot) by providing non-programmers with game creation tools.

Final Assessment

Technical Quality: 🏆 Tier 1 (professional engineering, modular architecture)

Security Quality: ⚠️ Mixed (best SQL prevention, worst password storage)

Cultural Value: 🏆 CRITICAL (only game engine, AJAX pioneer, visual editors)

Playability: Fully Functional (PHP 5.6), 💥 Broken (PHP 7+)

Recommendation: PRESERVE as maximum-priority artifact. NEAB Explorer is a complete game engine, representing professional browser RPG development circa 2005-2007. The AJAX-based 2D tile maps and 12 visual admin tools show technical innovation years ahead of competitors. The database abstraction layer demonstrates professional engineering patterns rare in hobbyist projects. However, the plaintext password storage is a catastrophic security oversight that undermines otherwise solid architecture. The 17,035-line codebase, 50+ database tables, and 118 documentation files document an extinct era of browser RPG engine development. With <50 estimated copies worldwide and the original www.nowhere-else.org site defunct, this is a critical cultural artifact requiring preservation before PHP 7+ migration makes it permanently unrunnable.

CRITICAL WARNING: Never deploy with default passwords (admin/admin, player/player). Never use in production without implementing password hashing. Cookie-based auth with plaintext passwords = instant compromise. Eval() in quest system = remote code execution risk. This engine is educational/historical, not production-ready.

---

Archive Status: PRESERVED

Analyst Notes: This is a complete game engine. NEAB Explorer represents professional browser RPG development with AJAX maps (2005-2007 cutting-edge), visual admin tools (12 editors), and database abstraction layer. The 17,035-line codebase with 50+ database tables documents sophisticated game architecture. However, plaintext password storage (database + cookies) is a catastrophic security flaw. The eval() quest system allows arbitrary PHP code execution. Despite flaws, this is a maximum-priority preservation artifact, with <50 estimated copies worldwide and original www.nowhere-else.org site defunct. Unique innovation: AJAX-based 2D tile maps with click-to-move navigation (2007). Team: Alain Bertrand (dev), Sebastian Budijanto (QA), Robert Smith (contributor). License: Proprietary with modification rights.