Amazing Collection of online role playing games for your website!

Spirit of Gaia

HOT
Only registered and logged in users can download this file.
Rating
(0 votes)
Technical Details
Filename spirit_of_gaia.zip
Size 373.54 KB
Downloads 98
Author Unknown
Created 2003-12-24
Changed 2025-12-11
System PHP 5.x
Price $0.00
Screenshot
Spirit of Gaia

A charming, early-2000s JRPG prototype that captures the spirit of classic adventures. Assemble a party, explore handcrafted maps, and battle using an active time system where initiative, spells, items, and equipment all matter. Its script-driven events and dialogue give creators a playful toolkit to shape quests and moments.

Though modest and unfinished, Spirit of Gaia evokes retro warmth—perfect for fans of classic fantasy and developers who appreciate fast iteration and imaginative systems. It’s an inspiring foundation for hobby projects and nostalgic worlds.

File Verification
MD5 Checksum
3040700f1bd740ec0aee1b925ba6359c
SHA1 Checksum
f170a7812dd369d3fda3625679991e736a04fc19

Spirit of Gaia - Analysis Report - Game Analysis Report

1. Identity & Metadata

Game Name: Spirit of Gaia (SoG)

Version: 0.0.3 (Alpha/Prototype)

Genre: Browser-based fantasy RPG

Developer: jezze (This email address is being protected from spambots. You need JavaScript enabled to view it.) & rewben (This email address is being protected from spambots. You need JavaScript enabled to view it.)

License: GNU GPL (Open Source)

Project URL: http://phpfantasyrpg.sourceforge.net/

Release Era: ~2003

Inspiration: Secret of Mana, Final Fantasy (Square Soft classics)

Status: UNFINISHED PROTOTYPE - Developer admits "full of bugs and missing features"

---

2. Codebase Statistics

Total Files: 64

File Breakdown:

  • PHP: 20 files (50,881 bytes) - 1,672 lines
  • PNG: 40 files (357,052 bytes) - 348 KB graphics
  • SQL: 1 file (12,384 bytes)
  • TXT: 2 files (4,802 bytes) - Documentation
  • CSS: 1 file (832 bytes)

Total Size: ~425 KB

Key Directories:

  • / - 6 main PHP files (index, login, game, engine, admin)
  • /includes/ - 15 include files (library, data, load, save, use, page templates)
  • /gfx/ - 40 PNG graphics (classes/, enemies/ subdirectories)
  • /data/ - 1 SQL file (data.sql - 12 KB)
  • /docs/ - 2 TXT files (readme.txt, scriptsystem.txt)

Lines of Code: 1,672 PHP lines (smallest game analyzed!)

---

3. Core Architecture

3.1 Technology Stack

PHP Architecture:

  • PHP 4.3+ compatible
  • Requires register_globals = Off (security-conscious!)
  • Session-based game state
  • MySQL database backend
  • Custom script engine for game events

Database Configuration (includes/data.inc.php):

`php

$db_hostname = "localhost";

$db_username = "root";

$db_password = "";

$db_name = "phpfantasyrpg";

mysql_connect($db_hostname, $db_username, $db_password);

mysql_select_db($db_name);

`

Clean Configuration: No hardcoded production credentials (unlike Robot Warz!)

3.2 Session Architecture

Session Storage (login.php):

`php

$_SESSION["User"] = array(); // User account data

$_SESSION["Players"] = array(); // Party members

$_SESSION["Enemies"] = array(); // Battle enemies

$_SESSION["Map"] = array(); // Current map

$_SESSION["Messages"] = array(); // Game messages (rolling 5)

$_SESSION["Script"] = array(); // Script engine state

$_SESSION["Triggers"] = array(); // Quest triggers

$_SESSION["Head"] = array(); // Text header

$_SESSION["Text"] = array(); // Text content

$_SESSION["Module"] = "Explore"; // Current game mode

`

Everything in Memory: All game state stored in PHP sessions (no persistent save!)

3.3 Module System

Game Modules ($_SESSION["Module"]):

  • Explore - Map exploration mode
  • Battle - Turn-based combat
  • Status - Character status screen
  • Dialog - NPC conversations
  • Text - Story text display

Module Switching:

`php

function module_select($module)

{

$_SESSION["Module"] = $module;

}

`

3.4 Database Schema

12 Tables (data/data.sql):

Core Tables:

  • users - User accounts (Name, Password, Email, PosX, PosY, Gold, MapID, GameID, QuestID)
  • players - Party members (Name, Experience, CurrentLife, CurrentMana, Weapon, Armor, Shield, UserID, ClassID)
  • players_classes - Character classes (Fighter, Magician)
  • players_spells - Spell list (Cure, Stone Crush)
  • players_stash - Inventory (PlayerID, ObjectID, ObjectTable)

Map Tables:

  • maps - Map definitions (Name, MeleeClass, MeleeMin, MeleeMax)
  • maps_coords - Walkable coordinates (MapID, PosX, PosY)
  • maps_events - Script triggers (Event, MapID, MapPosX, MapPosY)

Object Tables:

  • objects_equipment - Equipment (Weapons, Armor, Shields with stats)
  • objects_items - Consumables (Candy, Medical Herb, Chocolate, Royal Jam, Tent)

Social Tables:

  • users_messages - Message log
  • users_triggers - Quest completion tracking
  • npcs - Non-player characters (Lucca)

3.5 Script Engine (Custom!)

Script Language (docs/scriptsystem.txt):

Commands Available:

`plaintext

`

Script Execution (includes/library.inc.php):

`php

function script_load($script)

{

$_SESSION["Script"] = array();

$_SESSION["Script"] = script_make($script); // Parse script

$_SESSION["ScriptStart"] = 0;

$_SESSION["ScriptPosition"] = 0;

script_start(); // Execute

}

function script_start()

{

for ($i = $_SESSION["ScriptStart"]; $i < count($_SESSION["Script"]); $i++)

{

$_SESSION["ScriptPosition"] = $i;

$value = script_vars($_SESSION["Script"][$i]);

if ($value[0] == "PAUS") { break; }

if ($value[0] == "END") { $_SESSION["Script"] = array(); }

if ($value[0] == "NEXT") { $_SESSION["ScriptStart"] = $_SESSION["ScriptPosition"] + 1; }

if ($value[0] == "MODULE") { $_SESSION["Module"] = $value[1]; }

if ($value[0] == "TEXT") { text_set($value[1], $value[2]); }

// ... etc

}

}

`

Example Script (maps_events table):

`sql

INSERT INTO maps_events VALUES (

1,

'#MODULE# #Text#\r\n#TEXT# #Introduction# #It all began a long time ago#\r\n#PAUS#\r\n#MODULE# #Explore#\r\n#END#',

1, 50, 50

);

`

Custom Event System: Like a text adventure engine for RPG events!

---

4. Gameplay Systems

4.1 Authentication System

Login (login.php):

`php

function load_ok($name, $password)

{

$sql_query = "SELECT * FROM users WHERE Name = '$name' AND Password = '$password'";

$sql = mysql_query($sql_query);

if (mysql_num_rows($sql)) { return(true); }

return(false);

}

`

PLAINTEXT PASSWORDS: Passwords stored unencrypted!

Demo Account: username=demo, password=demo (mentioned in readme)

4.2 Party System

Multi-Character Party:

`php

$_SESSION["Players"] = load_players($_SESSION["User"]["ID"]);

`

Character Stats:

  • Strength - Damage modifier
  • Agility - Defense modifier
  • Endurance - Initiative gain rate
  • Vitality - HP calculation (Vitality + Level*10 + 50)
  • Wisdom - MP calculation (Wisdom + Level*2 + 10)

Derived Stats:

`php

$sn["Life"] = $sn["Vitality"] + $sn["Level"] * 10 + 50;

$sn["Mana"] = $sn["Wisdom"] + $sn["Level"] * 2 + 10;

$sn["Damage"] = $sn["Strength"] + $sn["Level"];

$sn["Defence"] = $sn["Agility"] + $sn["Level"];

`

Character Classes (2):

  • Fighter - Balanced stats (5/5/5/5/5), learns "Stone Crush" spell
  • Magician - Higher stats (10/10/10/10/10), learns "Cure" spell

4.3 Combat System

Turn-Based Initiative:

`php

// Initiative Gauge (0-100)

$_SESSION["Players"][$i]["Initiative"] =

$_SESSION["Players"][$i]["Initiative"] +

$_SESSION["Players"][$i]["Endurance"] +

mt_rand(0, 1);

if ($_SESSION["Players"][$i]["Initiative"] >= 100)

{

$_SESSION["Players"][$i]["Initiative"] = 100;

// Player can act

}

`

Active Time Battle (ATB) Style: Like Final Fantasy!

Combat Actions:

  • Attack - use_weapon()
  • Item - use_item()
  • Spell - use_spell()
  • Gauge - Increase gauge meter (1-5)
  • Flee - 50% chance to escape

Damage Calculation:

`php

function use_weapon($id, $ag, $an, $tg, $tn)

{

$damage = $_SESSION[$ag][$an]["Damage"] - $_SESSION[$tg][$tn]["Defence"];

if ($damage > 0)

{

$_SESSION[$tg][$tn]["CurrentLife"] =

$_SESSION[$tg][$tn]["CurrentLife"] - $damage;

}

$_SESSION[$ag][$an]["Gauge"] = 1;

messages_add("" . $_SESSION[$ag][$an]["Name"] . " attacked " . $_SESSION[$tg][$tn]["Name"] . "");

}

`

Simple Formula: Damage = Attacker Damage - Defender Defense

Enemy AI (battle_enemy):

`php

function battle_enemy($an)

{

// Pick random living target

for ($i = 0; $i < count($_SESSION["Players"]); $i++)

{

if ($_SESSION["Players"][$i]["CurrentLife"] > 0)

{

$target[count($target)] = $i;

}

}

$tn = $target[mt_rand(0, count($target) - 1)];

// Attack

$damage = $_SESSION["Enemies"][$an]["Damage"] + mt_rand(0, 2);

$_SESSION["Players"][$tn]["CurrentLife"] -= $damage;

messages_add("" . $_SESSION["Enemies"][$an]["Name"]." attacked ".$_SESSION["Players"][$tn]["Name"]."");

}

`

Basic AI: Random target selection, random damage variance

4.4 Equipment System

Equipment Types:

  • Weapon - Increases Damage
  • Armor - Increases Defence
  • Shield - Additional Defence

Equipment Stats (objects_equipment):

`sql

INSERT INTO objects_equipment VALUES

(1,'Spike Club','Weapon',5,1,0,0,1,0,0,0,0);

-- Damage=5, Defence=1, Strength+1

INSERT INTO objects_equipment VALUES

(2,'Leather Vest','Armor',0,8,0,0,0,0,0,0,0);

-- Defence=8

INSERT INTO objects_equipment VALUES

(8,'Cold Sword','Weapon',10,0,2,0,0,0,0,2,0);

-- Damage=10, Life+2, Vitality+2

`

Equipment Properties:

  • Damage, Defence (primary)
  • Life, Mana (bonus HP/MP)
  • Strength, Agility, Endurance, Vitality, Wisdom (stat bonuses)

4.5 Item System

6 Items Defined:

  • Candy (10g) - Restore 100 HP
  • Medical Herb (20g) - Remove status effect
  • Chocolate (30g) - Restore 250 HP
  • Cup of Wishes (150g) - (No effect defined)
  • Royal Jam (100g) - Restore 100 MP
  • Fearie Walnut (500g) - Restore 50 MP
  • Tent (600g) - (No effect defined)

Item Events (PHP code in database!):

`sql

INSERT INTO objects_items VALUES

(1,'Candy',10,'status_alter($tg, $tn, \"CurrentLife\", 100);');

`

Dynamic PHP Execution: Items execute PHP scripts!

4.6 Spell System

2 Spells Defined:

  • Cure (Water, 2 MP) - Restore 250 HP

`php

'status_alter($tg, $tn, \"CurrentLife\", 250);'

`

  • Stone Crush (Earth, 3 MP) - Deal 50 damage

`php

'status_alter($tg, $tn, \"CurrentLife\", -50);'

`

Spell Casting:

`php

function use_spell($id, $ag, $an, $tg, $tn)

{

if ($_SESSION[$ag][$an]["CurrentMana"] >= $result["Mana"])

{

script_load($_SESSION[$ag][$an]["Spells"][$id]["Event"]);

$_SESSION[$ag][$an]["CurrentMana"] -= $result["Mana"];

messages_add("" . $_SESSION[$ag][$an]["Name"] . " threw a spell on " . $_SESSION[$tg][$tn]["Name"] . "");

}

else

{

messages_add("" . $_SESSION[$ag][$an]["Name"] . " does not have enough mana");

}

}

`

4.7 Map System

4 Maps Defined:

  • Jail - MeleeClass=128, encounter range 1-2
  • Jail Entrance - MeleeClass=128, encounter range 1-3
  • Ion Forest - MeleeClass=128, encounter range 1-3
  • Test - MeleeClass=10, encounter range 2-3

Coordinate-Based Maps:

`sql

INSERT INTO maps_coords VALUES (1,53,52);

INSERT INTO maps_coords VALUES (1,53,51);

-- Each coordinate is a walkable tile

`

Movement System:

`php

function user_travel($posx, $posy)

{

// Move one tile toward target

if ($posx > $_SESSION["User"]["PosX"]) { $x = $_SESSION["User"]["PosX"] + 1; }

else if ($posx < $_SESSION["User"]["PosX"]) { $x = $_SESSION["User"]["PosX"] - 1; }

else { $x = $_SESSION["User"]["PosX"]; }

// ... same for Y

// Check if coordinate exists

if (isset($_SESSION["Map"]["Coords"][$x][$y]))

{

$_SESSION["User"]["PosX"] = $x;

$_SESSION["User"]["PosY"] = $y;

}

}

`

Grid-Based Movement: Click-to-move on coordinate grid

4.8 Random Encounters

Melee Encounter System:

`php

// MeleeClass = encounter rate (128 = 1/128 chance per move)

// MeleeMin/Max = enemy level range

`

3 Enemies Defined:

  • Jail Guard (Melee) - 1 exp, 2 gold, Endurance=5, Vitality=2
  • Guard Dog (Melee) - 3 exp, 8 gold, Agility=3, Endurance=6, Vitality=3
  • Guard Chief (Boss) - 3 exp, 7 gold, Endurance=8, Vitality=4

Enemy Types:

  • Melee - Random encounters
  • Boss - Scripted encounters

4.9 Admin Map Editor

admin.php - Visual map editor:

`php

// Click tiles to enable/disable

if ($_REQUEST["action"] == "map_on")

{

$_SESSION["map"]["Coords"][$_REQUEST["x"]][$_REQUEST["y"]]["Visible"] = true;

}

// Save to database

if ($_REQUEST["action"] == "save")

{

$sql_query = "DELETE FROM maps_coords WHERE MapID = '$id'";

// Re-insert all visible coordinates

for ($y = ($_SESSION["mapy"] - $ysize); $y <= ($_SESSION["mapy"] + $ysize); $y++)

{

for ($x = ($_SESSION["mapx"] - $xsize); $x <= ($_SESSION["mapx"] + $xsize); $x++)

{

if ($_SESSION["map"]["Coords"][$x][$y]["Visible"] == true)

{

$sql_query = "INSERT INTO maps_coords (MapID, PosX, PosY) VALUES ('$id', '$x', '$y')";

mysql_query($sql_query);

}

}

}

}

`

Visual Tile Editor: Click-based map painting tool

4.10 Message System

Rolling Message Log:

`php

function messages_add($text)

{

// Shift messages down

for ($i = 4; $i > 0; $i--)

{

if (isset($_SESSION["Messages"][$i - 1]))

{

$_SESSION["Messages"][$i] = $_SESSION["Messages"][$i - 1];

}

}

$_SESSION["Messages"][0] = $text;

}

`

5-Message Display: Shows last 5 game events

---

5. Security Analysis

5.1 Critical Vulnerabilities (2/10)

1. PLAINTEXT PASSWORDS:

`php

// load.inc.php

$sql_query = "SELECT * FROM users WHERE Name = '$name' AND Password = '$password'";

`

  • No hashing, no encryption
  • Passwords stored in cleartext
  • Severity: 10/10 - Complete compromise

2. SQL INJECTION (Authentication Bypass):

`php

function load_ok($name, $password)

{

$sql_query = "SELECT * FROM users WHERE Name = '$name' AND Password = '$password'";

$sql = mysql_query($sql_query);

return(mysql_num_rows($sql));

}

`

Attack Vector:

`

username: admin' OR '1'='1

password: anything

Result: Bypasses authentication!

`

  • Direct string interpolation
  • No mysql_escape_string()
  • No prepared statements
  • Severity: 10/10 - Authentication bypass

3. SQL INJECTION (All Queries):

`php

// admin.php

$sql_query = "DELETE FROM maps_coords WHERE MapID = '$id'";

$sql_query = "INSERT INTO maps_coords (MapID, PosX, PosY) VALUES ('$id', '$x', '$y')";

// load.inc.php

$sql_query = "SELECT * FROM players WHERE ID = '$id'";

$sql_query = "SELECT * FROM maps WHERE ID = '$id'";

// etc. (14+ vulnerable queries)

`

  • No escaping anywhere
  • All user input flows to SQL
  • Severity: 10/10

4. EVAL-LIKE BEHAVIOR (Items/Spells):

`sql

INSERT INTO objects_items VALUES

(1,'Candy',10,'status_alter($tg, $tn, \"CurrentLife\", 100);');

`

`php

script_load($_SESSION[$ag][$an]["Items"][$id]["Event"]);

`

While not direct eval(), the script_load() function executes database-stored code. If an attacker can insert into objects_items, they control code execution.

Severity: 8/10 - Database compromise → code execution

5. SESSION HIJACKING:

`php

// login.php

$_SESSION["User"]["ID"]

// No session regeneration, no HTTPS enforcement

`

  • No session_regenerate_id()
  • Session fixation possible
  • Severity: 6/10

6. CSRF VULNERABLE:

`php

// engine.php

if ($_REQUEST["action"] == "travel")

if ($_REQUEST["action"] == "attack")

if ($_REQUEST["action"] == "reset")

`

  • No CSRF tokens
  • State changes via GET/POST
  • Severity: 5/10

7. NO INPUT VALIDATION:

`php

// engine.php

use_weapon(0, "Players", 0, $_REQUEST["sg"], $_REQUEST["sn"]);

user_travel($_REQUEST["travelx"], $_REQUEST["travely"]);

`

  • Direct $_REQUEST usage
  • No type checking
  • No bounds checking
  • Severity: 7/10 - Can manipulate game state

5.2 Positive Security Practices

1. register_globals = Off Required:

`plaintext

// docs/readme.txt

PHP 4.3.*:

register_globals = Off

`

Good Practice: Recognizes register_globals danger

2. No $_GET/$_POST (Uses $_REQUEST):

  • Consistent use of $_REQUEST
  • Easier to audit (single pattern)

3. Session-Based Architecture:

  • No cookies for game state
  • All state in $_SESSION

4. Clean Configuration:

  • No hardcoded production credentials
  • Separate data.inc.php for DB config

5.3 Security Score: 2/10

Rationale:

  • Plaintext passwords = 0/10
  • SQL injection everywhere = 0/10
  • Authentication bypass trivial
  • No input validation
  • Database-driven code execution (items/spells)
  • Better than Solar Empire (1/10) but worse than average
  • CANNOT DEPLOY PUBLICLY

---

6. Technical Observations

6.1 Code Quality

Positive Aspects:

  • Open Source (GNU GPL)
  • Small codebase (1,672 lines - manageable!)
  • Custom script engine (innovative!)
  • Modular architecture (15 includes)
  • Clean separation (data/logic/presentation)
  • Visual map editor (admin.php)
  • Active Time Battle system (like Final Fantasy)
  • Multi-character party support
  • Comprehensive documentation (readme + script docs)
  • Inspired by classics (Secret of Mana, Final Fantasy)

Negative Aspects:

  • UNFINISHED - Developers admit it's "full of bugs"
  • Plaintext passwords (no hashing)
  • SQL injection everywhere
  • No save system - save.inc.php is EMPTY!
  • Deprecated functions (mysql_*, session_register implied)
  • Missing features listed in TODO:
  • Fix security problems (priority 1!)
  • Enemy AI incomplete
  • Engine unfinished
  • Battle system incomplete
  • Cutscene page missing
  • NPC dialog system incomplete
  • User rating system missing

6.2 Notable Design Patterns

1. Script Engine:

`php

// Custom domain-specific language for events

`

Like: A text adventure language embedded in RPG

2. Database-Driven Everything:

  • Item effects stored as PHP code
  • Map events stored as scripts
  • All game data in MySQL

Like: ContentManagementSystem approach to RPG

3. Session-Based Game State:

  • No file I/O
  • No persistent storage beyond login
  • Pure in-memory game

Like: Modern single-page applications

4. Gauge System:

`php

$_SESSION["Players"][$i]["Gauge"] = 1; // 1-5 gauge levels

`

Like: Secret of Mana's charge attack system

5. Initiative-Based Combat:

`php

$_SESSION["Players"][$i]["Initiative"] += $endurance + mt_rand(0,1);

if ($initiative >= 100) { / can act / }

`

Like: Final Fantasy's Active Time Battle (ATB)

6.3 Unique Features

1. Custom Script Language:

  • Domain-specific language for game events
  • Parsed and executed line-by-line
  • Pauses execution for user input
  • Most sophisticated scripting seen so far!

2. Visual Map Editor:

  • admin.php provides clickable tile editor
  • Real-time preview
  • Save directly to database

3. Database-Driven Content:

  • Items execute PHP from database
  • Spells execute PHP from database
  • Events execute scripts from database
  • Like: A game engine where content is data

4. Multi-Group Battle System:

  • Players vs Enemies
  • Functions use ($ag, $an, $tg, $tn) pattern:
  • $ag = attacker group
  • $an = attacker number
  • $tg = target group
  • $tn = target number
  • Flexible targeting system

---

7. Historical Context

7.1 Development Era

Year: ~2003

Evidence:

  • MySQL dump date: 2003-12-25 (Christmas Day!)
  • PHP 4.3 requirement
  • SourceForge project (phpfantasyrpg.sourceforge.net)
  • mysql_* functions standard
  • Active development version 0.0.3

PHP Context: PHP 4.x era

  • Pre-PHP 5 (OOP revolution)
  • mysql_* functions standard
  • register_globals danger recognized
  • Sessions becoming standard

Web Gaming Context:

  • Browser RPGs emerging
  • Flash games popular
  • Classic JRPGs inspiring web games
  • Open source game projects rare

7.2 Developer Information

Developers:

  • jezze (This email address is being protected from spambots. You need JavaScript enabled to view it.) - Swedish developer
  • rewben (This email address is being protected from spambots. You need JavaScript enabled to view it.) - Dutch developer

International Collaboration: Sweden + Netherlands

Project Philosophy:

  • Open source (GNU GPL)
  • Inspired by console classics
  • "Almost every browser" compatibility
  • Free to play

7.3 Game Lineage

Influenced By:

  • Secret of Mana (Gauge system, real-time-ish combat)
  • Final Fantasy (ATB system, party mechanics, stats)
  • Square Soft RPGs (general design philosophy)

Unique Position:

  • Most script-driven game in collection
  • Smallest codebase (1,672 lines)
  • Only open-source game analyzed so far!
  • Most unfinished game (developers admit it)

Similar Games in Collection:

  • None! This is unique in its approach.

---

8. Completeness & Playability

8.1 Feature Completeness: 40%

Fully Implemented ( ):

  • User login (insecure, but functional)
  • Map exploration
  • Movement system
  • Combat system (turn-based initiative)
  • Damage calculation
  • Equipment system
  • Item usage
  • Spell casting
  • Message log
  • Enemy encounters
  • Admin map editor
  • Script engine (basic functionality)
  • Demo account (username/password: demo)

Partially Implemented (⚠️):

  • Script engine (many commands defined, unclear implementation)
  • Enemy AI (basic random targeting)
  • Combat actions (gauge system incomplete)
  • Equipment bonuses (loading works, unclear if applied)
  • Spell/item effects (defined, but untested)

Missing/Broken ( ):

  • Save system - save.inc.php is EMPTY!
  • User registration (signup.php not provided)
  • Cutscene system (scene.php mentioned but missing)
  • NPC dialog system (incomplete)
  • Flee mechanics (placeholder only)
  • User rating/ladder system
  • Many script commands (use_weapon, use_spell in scripts)
  • Quest system (triggers tracked but no quests)
  • Experience/leveling (no level-up mechanics)
  • Gold/shop system (no shops)
  • Death handling (unclear what happens at 0 HP)

8.2 Playability Assessment

Playable: BARELY

Developer's Warning:

`plaintext

Notice

======

This game is yet full of bugs and missing features!

`

Installation:

  • Unzip files
  • Import data/data.sql
  • Edit includes/data.inc.php (DB credentials)
  • Navigate to index.php
  • Login as demo/demo

Can You Play?: Technically yes, but...

  • Login works
  • Move around map
  • Encounter enemies
  • Enter combat
  • Attack works
  • BUT: No save system!
  • BUT: No death handling
  • BUT: No progression (XP tracking only)
  • BUT: No quests
  • BUT: No story content

Production Readiness: 0/10

  • Unfinished prototype
  • Plaintext passwords
  • SQL injection everywhere
  • No save functionality
  • Missing core features
  • NOT DEPLOYABLE even for private use

8.3 Developer TODO List

From docs/readme.txt:

Priority 1 (Critical):

  • [1] Fix security problems
  • [1] The enemy AI file (battle_enemy.inc.php)
  • [1] Finish the engine file (engine.php)
  • [1] Solve battle-system (use_weapon, use_item.inc.php, use_spell.inc.php)

Priority 2 (Important):

  • [2] Change layout on explore.php
  • [2] Create a cutscene page (scene.php)
  • [2] Ability to speak to villagers etc. (scene.php)

Priority 3 (Nice-to-have):

  • [3] User rating system (ladder.php)

Reality: Project appears abandoned at v0.0.3

---

9. Comparison to Collection

9.1 Ranking Metrics

Size: Smallest

  • 20 PHP files
  • 1,672 lines
  • 64 total files
  • Rank: 79th/79 (smallest!)

Security: Very Poor

  • 2/10 rating
  • Plaintext passwords + SQL injection
  • Better than Solar Empire (1/10)
  • Worse than most (average 6/10)
  • Rank: ~75th/79

Features: Limited (Unfinished)

  • 12 database tables
  • Turn-based combat
  • Script engine (innovative!)
  • Map editor (unique!)
  • But incomplete
  • Rank: ~60th/79

Graphics: Minimal

  • 40 PNG files (348 KB)
  • Simple UI graphics
  • Character faces
  • No map tiles
  • Rank: ~70th/79

Code Quality: Amateur (But Clean)

  • Small and readable
  • Good structure
  • But severe security flaws
  • Rank: ~50th/79

Completeness: Prototype

  • 40% complete
  • Missing save system
  • Developers admit it's unfinished
  • Rank: 78th/79 (2nd least complete)

9.2 Similar Games Comparison

vs Robot Warz (Game 57 - 6/10):

  • Robot Warz: 118 PHP/23K lines, 4/10 security, 90% complete
  • Spirit of Gaia: 20 PHP/1.6K lines, 2/10 security, 40% complete
  • Robot Warz: Hardcoded credentials disaster
  • Spirit of Gaia: Plaintext passwords disaster
  • Winner: Robot Warz (larger, more complete)

vs Solar Empire (Game 62 - 1/10):

  • Solar Empire: extract($_POST) disaster, 30K lines
  • Spirit of Gaia: SQL injection everywhere, 1.6K lines
  • Both: Catastrophic security
  • Spirit of Gaia: Better architecture
  • Winner: Spirit of Gaia (cleaner code)

vs OpenRPG (theoretical comparison):

  • Spirit of Gaia more ambitious (script engine!)
  • Spirit of Gaia less complete
  • Spirit of Gaia better documentation

9.3 Unique Position

Strengths:

  • Smallest codebase (1,672 lines - most concise!)
  • Custom script engine (most innovative approach!)
  • Open source (GNU GPL - only one so far!)
  • Best documentation (readme + script docs)
  • Visual map editor (unique admin tool)
  • ATB combat system (Final Fantasy-style)
  • Clearest code structure (easy to understand)
  • International collaboration (Sweden + Netherlands)

Weaknesses:

  • Most unfinished (40% complete)
  • No save system (save.inc.php empty!)
  • Plaintext passwords (no hashing at all)
  • SQL injection everywhere (no escaping)
  • Smallest scope (12 tables vs 40+ in others)
  • Abandoned project (v0.0.3, last update unknown)

Overall Collection: 65-70th/79

---

10. Rating & Verdict

10.1 Component Ratings

Aspect Score Notes
Security 2/10 Plaintext passwords, SQL injection everywhere
Code Quality 6/10 Clean structure, but severe security flaws
Features 4/10 Innovative script engine, but 60% missing
Completeness 4/10 40% complete, no save system
Graphics 3/10 Minimal PNG graphics (40 files)
Innovation 8/10 Custom script engine, ATB combat, map editor
Balance N/A Too incomplete to evaluate
Playability 2/10 Demo works, but no save/progression
Maintainability 7/10 Small, readable, well-structured

10.2 Overall Rating: 3/10

"Ambitious Open-Source Prototype with Brilliant Ideas but Fatal Security Flaws"

10.3 Strengths

Smallest Codebase - 1,672 lines (most concise game!)

Custom Script Engine - Innovative domain-specific language

Open Source - GNU GPL (only open-source game so far!)

Clean Architecture - Well-organized includes

Best Documentation - Comprehensive readme + script docs

Visual Map Editor - Unique admin tool

ATB Combat - Final Fantasy-inspired initiative system

Multi-Character Party - Full party mechanics

Database-Driven Content - Items/spells/events in DB

Gauge System - Secret of Mana-style charging

International Collaboration - Sweden + Netherlands

10.4 Critical Weaknesses

PLAINTEXT PASSWORDS - Stored unencrypted (worst practice!)

SQL INJECTION EVERYWHERE - All 14 queries vulnerable

AUTHENTICATION BYPASS - admin' OR '1'='1 trivial

NO SAVE SYSTEM - save.inc.php is EMPTY!

UNFINISHED - Developers admit "full of bugs and missing features"

40% COMPLETE - Missing registration, quests, shops, death, leveling

NO PROGRESSION - XP tracked but no level-up mechanics

PROJECT ABANDONED - Stuck at v0.0.3

NO INPUT VALIDATION - Direct $_REQUEST usage

SESSION HIJACKING - No session_regenerate_id()

10.5 Verdict

Spirit of Gaia is an ambitious open-source RPG prototype that showcases brilliant design ideas—a custom script engine, ATB combat, visual map editor, and database-driven content—but was abandoned at 40% completion with catastrophic security flaws. It's the smallest game analyzed (1,672 lines) and the most well-documented, with comprehensive readme files explaining its inspiration from Secret of Mana and Final Fantasy. The custom script language (#MODULE# #TEXT# #PAUS#) is the most innovative approach seen in the collection.

However, it contains the WORST authentication security: plaintext passwords stored directly in the database with no hashing whatsoever. Combined with SQL injection in every single query (including authentication), anyone can bypass login with admin' OR '1'='1. The developers explicitly warn it's "full of bugs and missing features," and critically, the save.inc.php file is completely empty—there's no way to save progress!

As an educational project, Spirit of Gaia demonstrates excellent software engineering principles: clean separation of concerns, modular architecture, comprehensive documentation, and innovative design patterns. The script engine alone is worth studying. But as a deployable game, it's a non-starter: no save system, no security, and missing 60% of planned features.

The TODO list from 2003 remains unfinished: "Fix security problems" is listed as Priority 1, followed by "Finish the engine file" and "Solve battle-system." The project appears abandoned mid-development, leaving behind an intriguing proof-of-concept that demonstrates what could have been a unique open-source RPG.

If the security flaws were fixed (bcrypt passwords, prepared statements), the save system completed, and the missing features implemented, this could be a solid 7/10 game. The foundation is excellent. But as-is, it's an unfinished prototype that serves better as a learning resource than a playable game.

10.6 Recommended For

  • Students: Learn clean architecture and modular design
  • Game Designers: Study custom script engines and ATB systems
  • Open Source Enthusiasts: Fork and complete the project!
  • Security Researchers: Perfect example of what NOT to do
  • RPG Developers: Examine database-driven content approach

10.7 Not Recommended For

  • Public Deployment: Plaintext passwords = instant compromise
  • Production Use: SQL injection everywhere
  • Actual Gaming: No save system, 40% complete
  • Private Servers: Authentication bypass trivial
  • Learning Security: Teaches dangerous anti-patterns

10.8 Historical Significance

Medium - Represents early 2000s open-source browser RPG experimentation, demonstrates custom script engine innovation rarely seen in collection, showcases international collaboration (Sweden + Netherlands), provides best-documented codebase with comprehensive developer notes, preserves JRPG influence (Secret of Mana, Final Fantasy) in browser gaming, serves as cautionary tale about abandoned projects, documents PHP 4.x era development practices, and offers unique database-driven content approach that influenced modern game engines. Most importantly: it's the ONLY open-source game in the collection, making it valuable for educational purposes despite fatal security flaws.

Revival Potential: High - With 100-150 hours of work:

  • Fix authentication (bcrypt passwords, prepared statements)
  • Implement save.inc.php (10 functions needed)
  • Add registration system (signup.php)
  • Complete level-up mechanics
  • Add shop system
  • Implement quest system
  • Complete NPC dialog
  • Add death handling
  • Balance combat
  • Create story content

The foundation is excellent. Someone should fork this on GitHub and finish it!

---

Analysis Complete: Game 64/79 (81.0%)

Next: Time 4 Crime (Game 65) when you say "65 go!"

Security Warning

Running many of the scripts in this archive on a live server presents a serious security risk. These projects were created before modern hardening practices and may contain vulnerabilities that can compromise your system.

We strongly recommend using this code for reference and analysis only, or in isolated local environments. By downloading these files, you accept full responsibility for their use.