Release v1.8.9

Better name validation, like in the original game website (#356 )
* Better name validation, like in the original game website * Don't automatically ucfirst and strtolower the cases of the word * This allows for names like: Lord of Ring, Man of the Earth etc. * Don't allow special characters like: -, [], ' * Don't allow one letter words * Require at least one vowel per word * Add notice about admin logged in * Add trim, for future Currently its stripped anyway in the init.php, but AI don't know it :P Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Implement AI recommended changes * Update tools/validate.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Trim $name * Update Validator.php --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-04-26 20:33:31 +02:00 · 2026-04-06 12:23:42 +02:00 · 2026-04-06 10:41:29 +02:00 · 2026-03-15 13:02:22 +01:00 · 2026-02-26 16:46:13 +01:00 · 2026-02-24 21:04:20 +01:00
152 changed files with 5343 additions and 4348 deletions
--- a/.github/workflows/cypress.yml
+++ b/.github/workflows/cypress.yml
@@ -1,9 +1,9 @@
 name: Cypress
 on:
  pull_request:
-    branches: [develop]
+    branches: [main]
  push:
-    branches: [develop]
+    branches: [main]
 jobs:
  cypress:
@@ -23,7 +23,7 @@ jobs:
      fail-fast: false
      matrix:
        php-versions: [ '8.1', '8.2', '8.3', '8.4', '8.5' ]
-        ots: ['tfs-1.4', 'canary-3.1.2', 'tfs-0.3'] # TODO: add 'tfs-master' (actually doesn't work cause AAC doesn't support reading .env configuration)
+        ots: ['tfs-1.4', 'canary-3.1.2'] # TODO: add 'tfs-master' (actually doesn't work cause AAC doesn't support reading .env configuration)
    name: Cypress (PHP ${{ matrix.php-versions }}, ${{ matrix.ots }})
    steps:
        - name: 📌 MySQL Start & init & show db
@@ -58,14 +58,6 @@ jobs:
            ref: master
            path: ots
        - name: Checkout TFS 0.3
          uses: actions/checkout@v4
          if: matrix.ots == 'tfs-0.3'
          with:
              repository: otland/tfs-old-svn
              ref: 0.3
              path: ots
        - name: Checkout Canary
          uses: actions/checkout@v4
          if: matrix.ots == 'canary-3.1.2'
@@ -75,15 +67,9 @@ jobs:
            path: ots
        - name: Import OTS Schema
          if: matrix.ots != 'tfs-0.3'
          run: |
              mysql -uroot -proot myaac < ots/schema.sql
        - name: Import OTS Schema (TFS 0.3)
          if: matrix.ots == 'tfs-0.3'
          run: |
              mysql -uroot -proot myaac < ots/schemas/mysql.sql
        - name: Rename config.lua
          run: mv ots/config.lua.dist ots/config.lua
@@ -123,33 +109,6 @@ jobs:
              regex: false
              include: 'ots/config.lua'
        - name: Replace mysqlPass (TFS 0.3.6pl1)
          uses: jacobtomlinson/gha-find-replace@v3
          if: matrix.ots == 'tfs-0.3'
          with:
              find: 'sqlType = "sqlite"'
              replace: 'sqlType = "mysql"'
              regex: false
              include: 'ots/config.lua'
        - name: Replace mysqlPass (TFS 0.3.6pl1)
          uses: jacobtomlinson/gha-find-replace@v3
          if: matrix.ots == 'tfs-0.3'
          with:
              find: 'sqlPass = ""'
              replace: 'sqlPass = "root"'
              regex: false
              include: 'ots/config.lua'
        - name: Replace mysqlDatabase (Canary)
          uses: jacobtomlinson/gha-find-replace@v3
          if: matrix.ots == 'tfs-0.3'
          with:
              find: 'sqlDatabase = "theforgottenserver"'
              replace: 'sqlDatabase = "myaac"'
              regex: false
              include: 'ots/config.lua'
        - name: Setup PHP
          uses: shivammathur/setup-php@v2
          with:
--- a/.github/workflows/phplint.yml
+++ b/.github/workflows/phplint.yml
@@ -1,9 +1,9 @@
 name: PHP Linting
 on:
  pull_request:
-    branches: [develop]
+    branches: [main]
  push:
-    branches: [develop]
+    branches: [main]
 jobs:
  phplint:
--- a/.github/workflows/phpstan.yml
+++ b/.github/workflows/phpstan.yml
@@ -2,9 +2,9 @@ name: "PHPStan"
 on:
  pull_request:
-    branches: [develop]
+    branches: [main]
  push:
-    branches: [develop]
+    branches: [main]
 jobs:
  tests:
@@ -14,7 +14,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        php-versions: [ '8.1', '8.2', '8.3', '8.4', '8.5' ]
+        php-versions: [ '8.1', '8.2', '8.3', '8.4' ]
    steps:
      - name: "Checkout"
        uses: "actions/checkout@v4"
--- a/CHANGELOG-1.x.md
+++ b/CHANGELOG-1.x.md
@@ -1,5 +1,18 @@
 # Changelog
 ## [1.8.9 - 06.04.2026]
 ### Added
 * Settings: Possibility to add custom HTML for the head and body tags like Google Analytics code etc. (https://github.com/slawkens/myaac/commit/108e83806df5686a06826931ed5e243c19cbe130)
 * Add command: give-admin (https://github.com/slawkens/myaac/commit/9fa9ec746c4b344387a21f21886c2251319806fc)
  * Usage: php aac give:admin slawkens@gmail.com
    Parameter: account email, name or id
  * It's admin for the website, not the GM for the game! For that, go into the admin panel and change the group manually
 * Add page load time to an Admin Panel footer (https://github.com/slawkens/myaac/commit/4ae2fdd0dfcd56697612395c14aecc2dfd33b1c3)
 ### Changed
 * Better character name validation, like in the original game website (#356)
 * Install: don't suggest deleting of install folder - it's not required (https://github.com/slawkens/myaac/commit/5fcde4708a39255cf68edc8c43f2ac6597e2601d)
 ## [1.8.8 - 31.01.2026]
 ### Added
 * Change Comment: Add missing hooks - patched from 0.8 (https://github.com/slawkens/myaac/commit/a60a23b84f61d41d1503073b52e01e3120f6d92a)
--- a/CHANGELOG-2.x.md
+++ b/CHANGELOG-2.x.md
@@ -1,21 +0,0 @@
 ## [2.0-dev - x.x.2025]
 ### Added
 * Add an "access" option to Menus (#340)
 	* Possibility to hide menus for unauthorized users
 * Add the possibility to fetch skills in the getTopPlayers function (#347)
 ### Changed
 * Better handling of vocations: (#345)
  * Load from vocations.xml (No need to manually set)
  * Support for Monk vocation
 * Better gallery, loads images from images/gallery folder
 * Reworked account action logs to use a single IP column as varchar(45) for both ipv4 and ipv6 (#289)
 * Admin Panel: save menu collapse state (https://github.com/slawkens/myaac/commit/55da00520df7463a1d1ca41931df1598e9f2ffeb)
 ### Internal
 * Refactor account/lost pages (#326)
 * Refactor OTS_Player to support more distros (#348)
 * Refactor PHP cache to store expiration and improve typing (https://github.com/slawkens/myaac/commit/96b8e00f4999f8b4c4c97b54b97d91c6fd7df298)
 * Move forum show_board code to Twig (https://github.com/slawkens/myaac/commit/e0e0e467012a5fb9979cc4387af6bad1d4540279)
 * Save db cache only if it has changed (https://github.com/slawkens/myaac/commit/11cb1cf97e74f3bccf59360e1efb800a426b3d43)
--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@ Official website: https://my-aac.org
 [![GitHub Workflow Status (with event)](https://img.shields.io/github/actions/workflow/status/slawkens/myaac/cypress.yml)](https://github.com/slawkens/myaac/actions)
 [![License: GPL-3.0](https://img.shields.io/github/license/slawkens/myaac)](https://opensource.org/licenses/gpl-license)
 [![Downloads Count](https://img.shields.io/github/downloads/slawkens/myaac/total)](https://github.com/slawkens/myaac/releases)
-[![OpenTibia Discord](https://img.shields.io/discord/288399552581468162)](https://discord.gg/2J39Wus)
+[![MyAAC Discord](https://img.shields.io/discord/1468205461319848049)](https://discord.gg/aVagGPJt3g)
 [![Closed Issues](https://img.shields.io/github/issues-closed-raw/slawkens/myaac)](https://github.com/slawkens/myaac/issues?q=is%3Aissue+is%3Aclosed)
 | Version | Status                 | Branch  | Requirements   |
--- a/admin/pages/accounts.php
+++ b/admin/pages/accounts.php
@@ -9,7 +9,6 @@
 */
 use MyAAC\Models\Account as AccountModel;
 use MyAAC\Models\AccountAction;
 use MyAAC\Models\Player;
 defined('MYAAC') or die('Direct access not allowed!');
@@ -183,7 +182,39 @@ else if (isset($_REQUEST['search'])) {
 					$account->setName($name);
 				}
 				if ($hasTypeColumn) {
 					$account->setCustomField('type', $group);
 				} elseif ($hasGroupColumn) {
 					$account->setCustomField('group_id', $group);
 				}
 				if ($hasSecretColumn) {
 					$account->setCustomField('secret', $secret);
 				}
 				$account->setCustomField('key', $key);
 				$account->setEMail($email);
 				if (HAS_ACCOUNT_COINS) {
 					$account->setCustomField('coins', $t_coins);
 				}
 				if (HAS_ACCOUNT_COINS_TRANSFERABLE || HAS_ACCOUNT_TRANSFERABLE_COINS) {
 					$account->setCustomField(ACCOUNT_COINS_TRANSFERABLE_COLUMN, $t_coins_transferable);
 				}
 				$lastDay = 0;
 				if($p_days != 0 && $p_days != OTS_Account::GRATIS_PREMIUM_DAYS) {
 					$lastDay = time();
 				} else if ($lastDay != 0) {
 					$lastDay = 0;
 				}
 				$account->setPremDays($p_days);
 				$account->setLastLogin($lastDay);
 				if ($hasPointsColumn) {
 					$account->setCustomField('premium_points', $p_points);
 				}
 				$account->setRLName($rl_name);
 				$account->setLocation($rl_loca);
@@ -191,18 +222,9 @@ else if (isset($_REQUEST['search'])) {
 					$account->setCountry($rl_country);
 				}
 				$account->setCustomField('created', $created);
 				$account->setWebFlags($web_flags);
-
+				$account->setCustomField('web_lastlogin', $web_lastlogin);
 				if (!isCanary()) {
 					$lastDay = 0;
 					if($p_days != 0 && $p_days != OTS_Account::GRATIS_PREMIUM_DAYS) {
 						$lastDay = time();
 					}
 					$account->setLastLogin($lastDay);
 				}
 				$account->setPremDays($p_days);
 				if (isset($password)) {
 					if (USE_ACCOUNT_SALT) {
@@ -216,34 +238,6 @@ else if (isset($_REQUEST['search'])) {
 				}
 				$account->save();
 				if ($hasTypeColumn) {
 					$account->setCustomField('type', $group);
 				} elseif ($hasGroupColumn) {
 					$account->setCustomField('group_id', $group);
 				}
 				if ($hasSecretColumn) {
 					$account->setCustomField('secret', $secret);
 				}
 				$account->setCustomField('key', $key);
 				if (HAS_ACCOUNT_COINS) {
 					$account->setCustomField('coins', $t_coins);
 				}
 				if (HAS_ACCOUNT_COINS_TRANSFERABLE || HAS_ACCOUNT_TRANSFERABLE_COINS) {
 					$account->setCustomField(ACCOUNT_COINS_TRANSFERABLE_COLUMN, $t_coins_transferable);
 				}
 				if ($hasPointsColumn) {
 					$account->setCustomField('premium_points', $p_points);
 				}
 				$account->setCustomField('created', $created);
 				$account->setCustomField('web_lastlogin', $web_lastlogin);
 				echo_success('Account saved at: ' . date('G:i'));
 			}
 		}
@@ -487,8 +481,9 @@ else if (isset($_REQUEST['search'])) {
 									</thead>
 									<tbody>
 										<?php
-											$accountActions = AccountAction::where('account_id', $account->getId())->orderByDesc('date')->get();
+											$accountActions = \MyAAC\Models\AccountAction::where('account_id', $account->getId())->orderByDesc('date')->get();
 											foreach ($accountActions as $i => $log):
 												$log->ip = ($log->ip != 0 ? long2ip($log->ip) : inet_ntop($log->ipv6));
 												?>
 											<tr>
 												<td><?php echo $i + 1; ?></td>
@@ -636,7 +631,6 @@ else if (isset($_REQUEST['search'])) {
 							</div>
 						</form>
 					</div>
 					<?php if (USE_ACCOUNT_NAME): ?>
 					<div class="col-6 col-lg-12">
 						<form action="<?php echo $admin_base; ?>" method="post">
 							<?php csrf(); ?>
@@ -647,7 +641,6 @@ else if (isset($_REQUEST['search'])) {
 							</div>
 						</form>
 					</div>
 					<?php endif; ?>
 					<div class="col-6 col-lg-12">
 						<form action="<?php echo $admin_base; ?>" method="post">
 							<?php csrf(); ?>
--- a/admin/pages/menus.php
+++ b/admin/pages/menus.php
@@ -23,7 +23,6 @@ if (!hasFlag(FLAG_CONTENT_MENUS) && !superAdmin()) {
 }
 $pluginThemes = Plugins::getThemes();
 $groups = new OTS_Groups_List();
 if (isset($_POST['template'])) {
 	$template = $_POST['template'];
@@ -33,8 +32,6 @@ if (isset($_POST['template'])) {
 		$post_menu_link = $_POST['menu_link'] ?? [];
 		$post_menu_blank = $_POST['menu_blank'] ?? [];
 		$post_menu_color = $_POST['menu_color'] ?? [];
 		$post_menu_access = $_POST['menu_access'] ?? [];
 		if (count($post_menu) != count($post_menu_link)) {
 			echo 'Menu count is not equal menu links. Something went wrong when sending form.';
 			return;
@@ -53,7 +50,6 @@ if (isset($_POST['template'])) {
 						'link' => $post_menu_link[$category][$i],
 						'blank' => $post_menu_blank[$category][$i] == 'on' ? 1 : 0,
 						'color' => str_replace('#', '', $post_menu_color[$category][$i]),
 						'access' => $post_menu_access[$category][$i],
 						'category' => $category,
 						'ordering' => $i
 					]);
@@ -126,7 +122,7 @@ if (isset($_POST['template'])) {
 	?>
 	<?php
 	$menus = Menu::query()
-		->select('name', 'link', 'access', 'blank', 'color', 'category', 'ordering')
+		->select('name', 'link', 'blank', 'color', 'category', 'ordering')
 		->where('enabled', 1)
 		->where('template', $template)
 		->orderBy('ordering')
@@ -155,34 +151,11 @@ if (isset($_POST['template'])) {
 									foreach ($menus[$id] as $menu):
 										$color = (empty($menu['color']) ? ($cat['default_links_color'] ?? ($config['menu_default_links_color'] ?? ($config['menu_default_color'] ?? '#ffffff'))) : '#' . $menu['color']);
 										?>
-										<li class="ui-state-default" id="list-<?php echo $id ?>-<?php echo $i ?>">
+										<li class="ui-state-default" id="list-<?php echo $id ?>-<?php echo $i ?>"><label>Name:</label> <input type="text" name="menu[<?php echo $id ?>][]" value="<?php echo escapeHtml($menu['name']); ?>"/>
-											<label class="label_menu_name">Name: <input type="text" name="menu[<?php echo $id ?>][]" class="form-control menu-name" value="<?php echo escapeHtml($menu['name']); ?>"/>
+											<label>Link:</label> <input type="text" name="menu_link[<?php echo $id ?>][]" value="<?php echo $menu['link'] ?>"/>
-											</label>
+											<input type="hidden" name="menu_blank[<?php echo $id ?>][]" value="0"/>
-
+											<label><input class="blank-checkbox" type="checkbox" <?php echo($menu['blank'] == 1 ? 'checked' : '') ?>/><span title="Open in New Window">New Window</span></label>
-											<label class="label_menu_link">Link: <input type="text" name="menu_link[<?= $id ?>][]" class="form-control menu-link" value="<?php echo $menu['link'] ?>"/>
+											<input class="color-picker" type="text" name="menu_color[<?php echo $id ?>][]" value="<?php echo $color; ?>"/>
 											</label>
 											<br/>
 											<div class="menu-options-row">
 												<label>Access:
 													<select name="menu_access[<?= $id ?>][]" class="form-control menu-access">
 														<option value="0" <?= ($menu['access'] == 0 ? 'selected' : ''); ?>>Guest*</option>
 														<?php foreach ($groups->getGroups() as $group): ?>
 															<option value="<?= $group->getId(); ?>" <?= ($menu['access'] == $group->getId() ? 'selected' : ''); ?>><?= ucfirst($group->getName()); ?></option>
 														<?php endforeach; ?>
 													</select>
 												</label>
 												<label>Color: <input class="menu-color" type="color" name="menu_color[<?php echo $id ?>][]" value="<?php echo $color; ?>"/>
 												</label>
 												<input type="hidden" name="menu_blank[<?php echo $id ?>][]" class="menu-blank" value="0"/>
 												<label><input type="checkbox" class="menu-blank-checkbox" <?php echo($menu['blank'] == 1 ? 'checked' : '') ?>/><span title="Open in New Window">New Window</span></label>
 											</div>
 											<a class="remove-button" id="remove-button-<?php echo $id ?>-<?php echo $i ?>"><i class="fas fa-trash"></a></i></li>
 										<?php $i++; $last_id[$id] = $i;
 									endforeach;
--- a/admin/pages/players.php
+++ b/admin/pages/players.php
@@ -10,7 +10,6 @@
 use MyAAC\Forum;
 use MyAAC\Models\Player;
 use MyAAC\Server\XML\Vocations;
 defined('MYAAC') or die('Direct access not allowed!');
@@ -35,7 +34,6 @@ $skills = array(
 $hasBlessingsColumn = $db->hasColumn('players', 'blessings');
 $hasBlessingColumn = $db->hasColumn('players', 'blessings1');
 $hasLookAddons = $db->hasColumn('players', 'lookaddons');
 $hasCapColumn = $db->hasColumn('players', 'cap');
 $skull_type = array("None", "Yellow", "Green", "White", "Red", "Black", "Orange");
 ?>
@@ -168,11 +166,8 @@ else if (isset($_REQUEST['search'])) {
 			$town = $_POST['town'];
 			verify_number($town, 'Town', 11);
-			if ($hasCapColumn) {
+			$capacity = $_POST['capacity'];
-				$capacity = $_POST['capacity'];
+			verify_number($capacity, 'Capacity', 11);
 				verify_number($capacity, 'Capacity', 11);
 			}
 			$sex = $_POST['sex'];
 			verify_number($sex, 'Sex', 1);
@@ -242,30 +237,7 @@ else if (isset($_REQUEST['search'])) {
 				$player->setGroup($groups->getGroup($group));
 				$player->setLevel($level);
 				$player->setExperience($experience);
 				if ($db->hasColumn('players', 'promotion')) {
 					$promotion = 0;
 					$vocationOriginal = Vocations::getOriginal($vocation);
 					if ($vocation != $vocationOriginal) {
 						$tmpId = $vocationOriginal;
 						while($promoted = Vocations::getPromoted($tmpId)) {
 							$promotion++;
 							$tmpId = $promoted;
 							if ($promoted == $vocation) {
 								break;
 							}
 						}
 						$vocation = $vocationOriginal;
 					}
 					$player->setPromotion($promotion);
 				}
 				$player->setVocation($vocation);
 				$player->setHealth($health);
 				$player->setHealthMax($health_max);
 				$player->setMagLevel($magic_level);
@@ -277,20 +249,16 @@ else if (isset($_REQUEST['search'])) {
 				$player->setLookHead($look_head);
 				$player->setLookLegs($look_legs);
 				$player->setLookType($look_type);
-				if ($hasLookAddons) {
+				if ($hasLookAddons)
 					$player->setLookAddons($look_addons);
-				}
+				if ($db->hasColumn('players', 'offlinetraining_time'))
-
+					$player->setCustomField('offlinetraining_time', $offlinetraining);
 				$player->setPosX($pos_x);
 				$player->setPosY($pos_y);
 				$player->setPosZ($pos_z);
 				$player->setSoul($soul);
 				$player->setTownId($town);
-
+				$player->setCap($capacity);
 				if ($hasCapColumn) {
 					$player->setCap($capacity);
 				}
 				$player->setSex($sex);
 				$player->setLastLogin($lastlogin);
 				$player->setLastLogout($lastlogout);
@@ -307,11 +275,23 @@ else if (isset($_REQUEST['search'])) {
 				if ($hasBlessingsColumn)
 					$player->setBlessings($blessings);
 				if ($hasBlessingColumn) {
 					for ($i = 1; $i <= $bless_count; $i++) {
 						$a = 'blessing' . $i;
 						$player->setCustomField('blessings' . $i, ${'blessing' . $i} ? '1' : '0');
 					}
 				}
 				$player->setBalance($balance);
 				if ($db->hasColumn('players', 'stamina'))
 					$player->setStamina($stamina);
-
+				if ($db->hasColumn('players', 'deletion'))
-				$player->setDeleted($deleted ? '1' : '0');
+					$player->setCustomField('deletion', $deleted ? '1' : '0');
 				else
 					$player->setCustomField('deleted', $deleted ? '1' : '0');
 				$player->setCustomField('hide', $hide ? '1' : '0');
 				$player->setCustomField('created', $created);
 				if (isset($comment))
 					$player->setCustomField('comment', $comment);
 				foreach ($_POST['skills'] as $skill => $value) {
 					$player->setSkill($skill, $value);
@@ -320,24 +300,6 @@ else if (isset($_REQUEST['search'])) {
 					$player->setSkillTries($skill, $value);
 				}
 				$player->save();
 				if ($db->hasColumn('players', 'offlinetraining_time')) {
 					$player->setCustomField('offlinetraining_time', $offlinetraining);
 				}
 				if ($hasBlessingColumn) {
 					for ($i = 1; $i <= $bless_count; $i++) {
 						$a = 'blessing' . $i;
 						$player->setCustomField('blessings' . $i, ${'blessing' . $i} ? '1' : '0');
 					}
 				}
 				$player->setCustomField('hide', $hide ? '1' : '0');
 				$player->setCustomField('created', $created);
 				if (isset($comment)) {
 					$player->setCustomField('comment', $comment);
 				}
 				echo_success('Player saved at: ' . date('G:i'));
 				$player->load($id);
 			}
@@ -569,12 +531,10 @@ else if (isset($_REQUEST['search'])) {
 									</div>
 								</div>
 								<div class="form-group row">
 									<?php if($hasCapColumn): ?>
 									<div class="col-12 col-sm-12 col-lg-6">
 										<label for="capacity" class="control-label">Capacity:</label>
 										<input type="text" class="form-control" id="capacity" name="capacity" autocomplete="off" size="3" maxlength="11" value="<?php echo $player->getCap(); ?>"/>
 									</div>
 									<?php endif; ?>
 									<div class="col-12 col-sm-12 col-lg-6">
 										<label for="soul" class="control-label">Soul:</label>
 										<input type="text" class="form-control" id="soul" name="soul" autocomplete="off" size="3" maxlength="10" value="<?php echo $player->getSoul(); ?>"/>
--- a/admin/template/template.php
+++ b/admin/template/template.php
@@ -19,14 +19,14 @@
 	<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,400,600,700,300italic,400italic,600italic">
 	<?php $hooks->trigger(HOOK_ADMIN_HEAD_END); ?>
 </head>
-<body class="sidebar-mini <?= (session('admin.menu-collapse') ? 'sidebar-collapse' : ''); ?>">
+<body class="sidebar-mini ">
 <?php $hooks->trigger(HOOK_ADMIN_BODY_START); ?>
 <?php if ($logged && admin()) { ?>
 	<div class="wrapper">
 		<nav class="main-header navbar navbar-expand navbar-white navbar-light">
 			<ul class="navbar-nav">
 				<li class="nav-item">
-					<a class="nav-link sidebar-toggle" data-widget="pushmenu" href="#"><i class="fas fa-bars"></i></a>
+					<a class="nav-link" data-widget="pushmenu" href="#"><i class="fas fa-bars"></i></a>
 				</li>
 				<li class="nav-item d-none d-sm-inline-block">
 					<a href="<?php echo ADMIN_URL; ?>" class="nav-link">Home</a>
@@ -172,7 +172,8 @@
 			<div class="float-sm-right d-none d-sm-inline">
 				<span class="p-2 right badge badge-<?php echo((isset($status['online']) and $status['online']) ? 'success' : 'danger'); ?>"><?php echo $config['lua']['serverName'] ?></span>
 			</div>
-			<?php echo base64_decode('UG93ZXJlZCBieSA8YSBocmVmPSJodHRwOi8vbXktYWFjLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPk15QUFDLjwvYT4='); ?>
+			<?= base64_decode('UG93ZXJlZCBieSA8YSBocmVmPSJodHRwOi8vbXktYWFjLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPk15QUFDLjwvYT4='); ?>
 			<?= 'Load time: ' . round(microtime(true) - START_TIME, 4) . ' seconds.'; ?>
 		</footer>
 		<div id="sidebar-overlay"></div>
 	</div>
@@ -198,7 +199,6 @@ if ($logged && admin()) {
 <script src="<?php echo BASE_URL; ?>tools/js/datatables.bs.min.js"></script>
 <?php } ?>
 <script src="<?php echo BASE_URL; ?>tools/js/adminlte.min.js"></script>
 <?php $twig->display('admin.menu-collapse.html.twig'); ?>
 <?php $hooks->trigger(HOOK_ADMIN_BODY_END); ?>
 </body>
 </html>
--- a/admin/tools/menu_collapse.php
+++ b/admin/tools/menu_collapse.php
@@ -1,23 +0,0 @@
 <?php
 const MYAAC_ADMIN = true;
 const IGNORE_SET_LAST_VISIT = true;
 require '../../common.php';
 require SYSTEM . 'functions.php';
 require SYSTEM . 'init.php';
 require SYSTEM . 'login.php';
 if(!admin()) {
 	http_response_code(500);
 	die('You are not logged in. Probably session expired. Please login again.');
 }
 if (!isset($_POST['collapse'])) {
 	http_response_code(500);
 	die('Something went wrong.');
 }
 csrfProtect();
 setSession('admin.menu-collapse', $_POST['collapse'] == 'true');
--- a/common.php
+++ b/common.php
@@ -26,8 +26,8 @@
 if (version_compare(phpversion(), '8.1', '<')) die('PHP version 8.1 or higher is required.');
 const MYAAC = true;
-const MYAAC_VERSION = '2.0-dev';
+const MYAAC_VERSION = '1.8.9';
-const DATABASE_VERSION = 51;
+const DATABASE_VERSION = 46;
 const TABLE_PREFIX = 'myaac_';
 define('START_TIME', microtime(true));
 define('MYAAC_OS', stripos(PHP_OS, 'WIN') === 0 ? 'WINDOWS' : (strtoupper(PHP_OS) === 'DARWIN' ? 'MAC' : 'LINUX'));
--- a/composer.json
+++ b/composer.json
@@ -19,8 +19,7 @@
        "symfony/var-dumper": "^6.4",
        "filp/whoops": "^2.15",
        "maximebf/debugbar": "1.*",
-        "guzzlehttp/guzzle": "7.9.3",
+        "guzzlehttp/guzzle": "7.9.3"
        "spomky-labs/otphp": "^11.3"
    },
    "require-dev": {
        "phpstan/phpstan": "^1.10"
--- a/composer.lock
+++ b/composer.lock
--- a/images/druid.png
+++ b/images/druid.png
--- a/images/knight.png
+++ b/images/knight.png
--- a/images/monk.png
+++ b/images/monk.png
--- a/images/paladin.png
+++ b/images/paladin.png
--- a/images/sorcerer.png
+++ b/images/sorcerer.png
--- a/install/includes/import_base_data.php
+++ b/install/includes/import_base_data.php
@@ -3,7 +3,6 @@ defined('MYAAC') or die('Direct access not allowed!');
 use MyAAC\Models\Changelog;
 use MyAAC\Models\Config;
 use MyAAC\Models\FAQ;
 use MyAAC\Models\ForumBoard;
 use MyAAC\Models\Gallery;
 use MyAAC\Models\NewsCategory;
@@ -57,10 +56,13 @@ if (NewsCategory::count() === 0) {
 	}
 }
-if(FAQ::count() == 0) {
+if (Gallery::count() === 0) {
-	FAQ::create([
+	Gallery::create([
-		'question' => 'What is this?',
+		'comment' => 'Demon',
-		'answer' => 'This is website for OTS powered by MyAAC.',
+		'image' => 'images/gallery/demon.jpg',
 		'thumb' => 'images/gallery/demon_thumb.gif',
 		'author' => 'MyAAC',
 		'ordering' => 0,
 	]);
 }
--- a/install/includes/schema.sql
+++ b/install/includes/schema.sql
@@ -1,20 +1,11 @@
 CREATE TABLE IF NOT EXISTS `myaac_account_actions`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`account_id` int NOT NULL,
-	`ip` varchar(45) NOT NULL DEFAULT '',
+	`ip` int unsigned NOT NULL DEFAULT 0,
 	`ipv6` binary(16) NOT NULL DEFAULT 0,
 	`date` int NOT NULL DEFAULT 0,
 	`action` varchar(255) NOT NULL DEFAULT '',
-	PRIMARY KEY (`id`)
+	KEY (`account_id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;
 CREATE TABLE IF NOT EXISTS `myaac_account_email_codes`
 (
 	`id` int(11) NOT NULL AUTO_INCREMENT,
 	`account_id` int NOT NULL,
 	`code` varchar(6) NOT NULL,
 	`created_at` int NOT NULL,
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;
 CREATE TABLE IF NOT EXISTS `myaac_account_emails_verify`
@@ -111,7 +102,6 @@ CREATE TABLE IF NOT EXISTS `myaac_menu`
 	`template` varchar(255) NOT NULL,
 	`name` varchar(255) NOT NULL,
 	`link` varchar(255) NOT NULL,
 	`access` tinyint NOT NULL DEFAULT 0,
 	`blank` tinyint NOT NULL DEFAULT 0,
 	`color` varchar(6) NOT NULL DEFAULT '',
 	`category` int NOT NULL DEFAULT 1,
@@ -207,6 +197,18 @@ CREATE TABLE IF NOT EXISTS `myaac_pages`
 	UNIQUE (`name`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;
 CREATE TABLE IF NOT EXISTS `myaac_gallery`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`comment` varchar(255) NOT NULL DEFAULT '',
 	`image` varchar(255) NOT NULL,
 	`thumb` varchar(255) NOT NULL,
 	`author` varchar(50) NOT NULL DEFAULT '',
 	`ordering` int NOT NULL DEFAULT 0,
 	`hide` tinyint NOT NULL DEFAULT 0,
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;
 CREATE TABLE IF NOT EXISTS `myaac_settings`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
--- a/install/index.php
+++ b/install/index.php
@@ -30,7 +30,7 @@ if(file_exists(CACHE . 'install.txt')) {
 	$install_status = unserialize(file_get_contents(CACHE . 'install.txt'));
 	if(!isset($_REQUEST['step'])) {
-		$step = isset($install_status['step']) ? $install_status['step'] : '';
+		$step = $install_status['step'] ?? '';
 	}
 }
@@ -53,7 +53,7 @@ if($step == 'finish' && (!isset($config['installed']) || !$config['installed']))
 // step verify
 $steps = array(1 => 'welcome', 2 => 'license', 3 => 'requirements', 4 => 'config', 5 => 'database', 6 => 'admin', 7 => 'finish');
-if(!in_array($step, $steps)) // check if step is valid
+if(!in_array($step, $steps)) // check if a step is valid
 	throw new RuntimeException('ERROR: Unknown step.');
 $install_status['step'] = $step;
@@ -61,7 +61,7 @@ $errors = array();
 if($step == 'database') {
 	foreach($_SESSION as $key => $value) {
-		if(strpos($key, 'var_') === false) {
+		if(!str_contains($key, 'var_')) {
 			continue;
 		}
@@ -182,7 +182,7 @@ $error = false;
 clearstatcache();
 if(is_writable(CACHE) && (MYAAC_OS != 'WINDOWS' || win_is_writable(CACHE))) {
 	if(!file_exists(BASE . 'install/ip.txt')) {
-		$content = warning('AAC installation is disabled. To enable it make file <b>ip.txt</b> in install/ directory and put there your IP.<br/>
+		$content = warning('AAC installation is disabled. To enable it make a file <b>ip.txt</b> in install/ directory and put there your IP.<br/>
 		Your IP is:<br /><b>' . get_browser_real_ip() . '</b>', true);
 	}
 	else {
@@ -198,7 +198,7 @@ if(is_writable(CACHE) && (MYAAC_OS != 'WINDOWS' || win_is_writable(CACHE))) {
 		if(!$allow)
 		{
 			$content = warning('In file <b>install/ip.txt</b> must be your IP!<br/>
-			In file is:<br /><b>' . nl2br($file_content) . '</b><br/>
+			In the file is:<br /><b>' . nl2br($file_content) . '</b><br/>
 			Your IP is:<br /><b>' . get_browser_real_ip() . '</b>', true);
 		}
 		else {
--- a/install/tools/5-database.php
+++ b/install/tools/5-database.php
@@ -98,16 +98,6 @@ if(!$db->hasColumn('accounts', 'web_flags')) {
 		success($locale['step_database_adding_field'] . ' accounts.web_flags...');
 }
 if(!$db->hasColumn('accounts', '2fa_type')) {
 	if(query("ALTER TABLE `accounts` ADD `2fa_type` tinyint NOT NULL DEFAULT 0 AFTER `web_flags`;"))
 		success($locale['step_database_adding_field'] . ' accounts.2fa_type...');
 }
 if(!$db->hasColumn('accounts', '2fa_secret')) {
 	if(query("ALTER TABLE `accounts` ADD `2fa_secret` varchar(16) NOT NULL DEFAULT '' AFTER `2fa_type`;"))
 		success($locale['step_database_adding_field'] . ' accounts.2fa_secret...');
 }
 if(!$db->hasColumn('accounts', 'email_verified')) {
 	if(query("ALTER TABLE `accounts` ADD `email_verified` TINYINT(1) NOT NULL DEFAULT 0 AFTER `web_flags`;"))
 		success($locale['step_database_adding_field'] . ' accounts.email_verified...');
--- a/install/tools/7-finish.php
+++ b/install/tools/7-finish.php
@@ -2,6 +2,8 @@
 define('MYAAC_INSTALL', true);
 use MyAAC\DataLoader;
 use MyAAC\Models\FAQ as ModelsFAQ;
 use MyAAC\Plugins;
 require_once '../../common.php';
@@ -23,17 +25,48 @@ if(isset($config['installed']) && $config['installed'] && !isset($_SESSION['save
 require SYSTEM . 'init.php';
-// add player samples
+if ($db->hasTable('players')) {
-require_once SYSTEM . 'migrations/49.php';
+	$deleted = 'deleted';
-$up();
+	if ($db->hasColumn('players', 'deletion'))
 		$deleted = 'deletion';
 	$time = time();
 	function insert_sample_if_not_exist($p)
 	{
 		global $db, $success, $deleted, $time;
 		$query = $db->query('SELECT `id` FROM `players` WHERE `name` = ' . $db->quote($p['name']));
 		if ($query->rowCount() == 0) {
 			if (!query("INSERT INTO `players` (`id`, `name`, `group_id`, `account_id`, `level`, `vocation`, `health`, `healthmax`, `experience`, `lookbody`, `lookfeet`, `lookhead`, `looklegs`, `looktype`, `maglevel`, `mana`, `manamax`, `manaspent`, `soul`, `town_id`, `posx`, `posy`, `posz`, `conditions`, `cap`, `sex`, `lastlogin`, `lastip`, `save`, `lastlogout`, `balance`, `$deleted`, `created`, `hide`, `comment`) VALUES (null, " . $db->quote($p['name']) . ", 1, " . getSession('account') . ", " . $p['level'] . ", " . $p['vocation_id'] . ", " . $p['health'] . ", " . $p['healthmax'] . ", " . $p['experience'] . ", 118, 114, 38, 57, " . $p['looktype'] . ", 0, " . $p['mana'] . ", " . $p['manamax'] . ", 0, " . $p['soul'] . ", 1, 1000, 1000, 7, '', " . $p['cap'] . ", 1, " . $time . ", 2130706433, 1, " . $time . ", 0, 0, " . $time . ", 1, '');"))
 				$success = false;
 		}
 	}
 	$success = true;
 	insert_sample_if_not_exist(array('name' => 'Rook Sample', 'level' => 1, 'vocation_id' => 0, 'health' => 150, 'healthmax' => 150, 'experience' => 0, 'looktype' => 130, 'mana' => 0, 'manamax' => 0, 'soul' => 100, 'cap' => 400));
 	insert_sample_if_not_exist(array('name' => 'Sorcerer Sample', 'level' => 8, 'vocation_id' => 1, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 130, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
 	insert_sample_if_not_exist(array('name' => 'Druid Sample', 'level' => 8, 'vocation_id' => 2, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 130, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
 	insert_sample_if_not_exist(array('name' => 'Paladin Sample', 'level' => 8, 'vocation_id' => 3, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 129, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
 	insert_sample_if_not_exist(array('name' => 'Knight Sample', 'level' => 8, 'vocation_id' => 4, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 131, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470));
 	if ($success) {
 		success($locale['step_database_imported_players']);
 	}
 }
 DataLoader::setLocale($locale);
 DataLoader::load();
 clearCache();
 // add menus entries
 require_once SYSTEM . 'migrations/17.php';
 $up();
 // update config.highscores_ids_hidden
 require_once SYSTEM . 'migrations/20.php';
 $up();
 // add z_polls tables
 require_once SYSTEM . 'migrations/22.php';
 $up();
@@ -52,6 +85,13 @@ $up();
 require_once SYSTEM . 'migrations/45.php';
 $up();
 if(ModelsFAQ::count() == 0) {
 	ModelsFAQ::create([
 		'question' => 'What is this?',
 		'answer' => 'This is website for OTS powered by MyAAC.',
 	]);
 }
 $hooks->trigger(HOOK_INSTALL_FINISH);
 $db->setClearCacheAfter(true);
@@ -67,6 +107,10 @@ if(file_exists(CACHE . 'install.txt')) {
 	unlink(CACHE . 'install.txt');
 }
 if(file_exists(BASE . 'install/ip.txt')) {
 	unlink(BASE . 'install/ip.txt');
 }
 $locale['step_finish_desc'] = str_replace('$ADMIN_PANEL$', generateLink(str_replace('tools/', '',ADMIN_URL), $locale['step_finish_admin_panel'], true), $locale['step_finish_desc']);
 $locale['step_finish_desc'] = str_replace('$HOMEPAGE$', generateLink(str_replace('tools/', '', BASE_URL), $locale['step_finish_homepage'], true), $locale['step_finish_desc']);
 $locale['step_finish_desc'] = str_replace('$LINK$', generateLink('https://my-aac.org', 'https://my-aac.org', true), $locale['step_finish_desc']);
--- a/login.php
+++ b/login.php
@@ -5,7 +5,6 @@ use MyAAC\Models\PlayerOnline;
 use MyAAC\Models\Account;
 use MyAAC\Models\Player;
 use MyAAC\RateLimit;
 use MyAAC\TwoFactorAuth\TwoFactorAuth;
 require_once 'common.php';
 require_once SYSTEM . 'functions.php';
@@ -13,7 +12,7 @@ require_once SYSTEM . 'init.php';
 require_once SYSTEM . 'status.php';
 # error function
-function sendError($message, $code = 3) {
+function sendError($message, $code = 3){
 	$ret = [];
 	$ret['errorCode'] = $code;
 	$ret['errorMessage'] = $message;
@@ -109,18 +108,17 @@ switch ($action) {
 	case 'login':
-		$ip = configLua('ip');
+		$port = $config['lua']['gameProtocolPort'];
 		$port = configLua('gameProtocolPort');
 		// default world info
 		$world = [
 			'id' => 0,
 			'name' => $config['lua']['serverName'],
-			'externaladdress' => $ip,
+			'externaladdress' => $config['lua']['ip'],
 			'externalport' => $port,
-			'externaladdressprotected' => $ip,
+			'externaladdressprotected' => $config['lua']['ip'],
 			'externalportprotected' => $port,
-			'externaladdressunprotected' => $ip,
+			'externaladdressunprotected' => $config['lua']['ip'],
 			'externalportunprotected' => $port,
 			'previewstate' => 0,
 			'location' => 'BRA', // BRA, EUR, USA
@@ -135,12 +133,13 @@ switch ($action) {
 		$inputEmail = $request->email ?? false;
 		$inputAccountName = $request->accountname ?? false;
 		$inputToken = $request->token ?? false;
 		$account = Account::query();
-		if ($inputEmail) { // login by email
+		if ($inputEmail != false) { // login by email
 			$account->where('email', $inputEmail);
 		}
-		else if($inputAccountName) { // login by account name
+		else if($inputAccountName != false) { // login by account name
 			$account->where('name', $inputAccountName);
 		}
@@ -152,14 +151,13 @@ switch ($action) {
 		$limiter->load();
 		$ban_msg = 'A wrong account, password or secret has been entered ' . setting('core.account_login_attempts_limit') . ' times in a row. You are unable to log into your account for the next ' . setting('core.account_login_ban_time') . ' minutes. Please wait.';
 		if (!$account) {
 			$limiter->increment($ip);
 			if ($limiter->exceeded($ip)) {
 				sendError($ban_msg);
 			}
-			sendError(($inputEmail ? 'Email' : 'Account name') . ' or password is not correct.');
+			sendError(($inputEmail != false ? 'Email' : 'Account name') . ' or password is not correct.');
 		}
 		$current_password = encrypt((USE_ACCOUNT_SALT ? $account->salt : '') . $request->password);
@@ -169,30 +167,32 @@ switch ($action) {
 				sendError($ban_msg);
 			}
-			sendError(($inputEmail ? 'Email' : 'Account name') . ' or password is not correct.');
+			sendError(($inputEmail != false ? 'Email' : 'Account name') . ' or password is not correct.');
 		}
-		$twoFactorAuth = TwoFactorAuth::getInstance($account->id);
+		$accountHasSecret = false;
 		if (fieldExist('secret', 'accounts')) {
 			$accountSecret = $account->secret;
 			if ($accountSecret != null && $accountSecret != '') {
 				$accountHasSecret = true;
 				if ($inputToken === false) {
 					$limiter->increment($ip);
 					if ($limiter->exceeded($ip)) {
 						sendError($ban_msg);
 					}
 					sendError('Submit a valid two-factor authentication token.', 6);
 				} else {
 					require_once LIBS . 'rfc6238.php';
 					if (TokenAuth6238::verify($accountSecret, $inputToken) !== true) {
 						$limiter->increment($ip);
 						if ($limiter->exceeded($ip)) {
 							sendError($ban_msg);
 						}
-		$code = '';
+						sendError('Two-factor authentication failed, token is wrong.', 6);
-		if ($twoFactorAuth->isActive()) {
+					}
-			if ($twoFactorAuth->getAuthType() === TwoFactorAuth::TYPE_EMAIL) {
+				}
 				$code = $request->emailcode ?? false;
 			}
 			else if ($twoFactorAuth->getAuthType() === TwoFactorAuth::TYPE_APP) {
 				$code = $request->token ?? false;
 			}
 		}
 		$error = '';
 		$errorCode = 6;
 		if (!$twoFactorAuth->processClientLogin($code, $error, $errorCode)) {
 			$limiter->increment($ip);
 			if ($limiter->exceeded($ip)) {
 				sendError($ban_msg);
 			}
 			sendError($error, $errorCode);
 		}
 		$limiter->reset($ip);
@@ -220,6 +220,46 @@ switch ($action) {
 			}
 		}
 		/*
 		 * not needed anymore?
 		if (fieldExist('premdays', 'accounts') && fieldExist('lastday', 'accounts')) {
 			$save = false;
 			$timeNow = time();
 			$premDays = $account->premdays;
 			$lastDay = $account->lastday;
 			$lastLogin = $lastDay;
 			if ($premDays != 0 && $premDays != PHP_INT_MAX) {
 				if ($lastDay == 0) {
 					$lastDay = $timeNow;
 					$save = true;
 				} else {
 					$days = (int)(($timeNow - $lastDay) / 86400);
 					if ($days > 0) {
 						if ($days >= $premDays) {
 							$premDays = 0;
 							$lastDay = 0;
 						} else {
 							$premDays -= $days;
 							$reminder = ($timeNow - $lastDay) % 86400;
 							$lastDay = $timeNow - $reminder;
 						}
 						$save = true;
 					}
 				}
 			} else if ($lastDay != 0) {
 				$lastDay = 0;
 				$save = true;
 			}
 			if ($save) {
 				$account->premdays = $premDays;
 				$account->lastday = $lastDay;
 				$account->save();
 			}
 		}
 		*/
 		$worlds = [$world];
 		$playdata = compact('worlds', 'characters');
@@ -228,7 +268,7 @@ switch ($action) {
 		if (!fieldExist('istutorial', 'players')) {
 			$sessionKey .= "\n";
 		}
-		$sessionKey .= ($twoFactorAuth->isActive() && strlen($account->{'2fa_secret'}) > 5) ? $account->{'2fa_secret'} : '';
+		$sessionKey .= ($accountHasSecret && strlen($accountSecret) > 5) ? $inputToken : '';
 		// this is workaround to distinguish between TFS 1.x and otservbr
 		// TFS 1.x requires the number in session key
--- a/package-lock.json
+++ b/package-lock.json
@@ -1743,9 +1743,9 @@
      }
    },
    "node_modules/qs": {
-      "version": "6.14.1",
+      "version": "6.14.2",
-      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.2.tgz",
-      "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==",
+      "integrity": "sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==",
      "dev": true,
      "license": "BSD-3-Clause",
      "dependencies": {
--- a/phpstan-bootstrap.php
+++ b/phpstan-bootstrap.php
@@ -4,6 +4,7 @@ require __DIR__ . '/system/libs/pot/OTS.php';
 $ots = POT::getInstance();
 require __DIR__ . '/system/libs/pot/InvitesDriver.php';
 require __DIR__ . '/system/libs/rfc6238.php';
 require __DIR__ . '/common.php';
 const ACTION = '';
--- a/system/compat/config.php
+++ b/system/compat/config.php
@@ -5,6 +5,8 @@ $deprecatedConfig = [
 	'genders',
 	'template',
 	'template_allow_change',
 	'vocations_amount',
 	'vocations',
 	'client',
 	'session_prefix',
 	'friendly_urls',
--- a/system/functions.php
+++ b/system/functions.php
@@ -17,8 +17,6 @@ use MyAAC\Models\Guild;
 use MyAAC\Models\House;
 use MyAAC\Models\Pages;
 use MyAAC\Models\Player;
 use MyAAC\Models\PlayerDeath;
 use MyAAC\Models\PlayerKillers;
 use MyAAC\News;
 use MyAAC\Plugins;
 use MyAAC\Settings;
@@ -1141,44 +1139,11 @@ function csrfProtect(): void
 	}
 }
-function getSkillIdByName(string $name): int|null
+function getTopPlayers($limit = 5, $skill = 'level') {
 {
 	$skills = [
 		'level' => POT::SKILL_LEVEL,
 		'experience' => POT::SKILL_LEVEL,
 		'magic' => POT::SKILL_MAGIC,
 		'maglevel' => POT::SKILL_MAGIC,
 		'balance' => SKILL_BALANCE,
 		'frags' => SKILL_FRAGS,
 		'club' => POT::SKILL_CLUB,
 		'sword' => POT::SKILL_SWORD,
 		'axe' => POT::SKILL_AXE,
 		'dist' => POT::SKILL_DIST,
 		'distance' => POT::SKILL_DIST,
 		'shield' => POT::SKILL_SHIELD,
 		'shielding' => POT::SKILL_SHIELD,
 		'fish' => POT::SKILL_FISH,
 		'fishing' => POT::SKILL_FISH,
 	];
 	return $skills[$name] ?? null;
 }
 function getTopPlayers($limit = 5, $skill = POT::SKILL_LEVEL)
 {
 	global $db;
-	$skillOriginal = $skill;
+	if ($skill === 'level') {
-
+		$skill = 'experience';
 	if (is_string($skill)) {
 		$skill = getSkillIdByName($skill);
 	}
 	if (!is_numeric($skill)) {
 		throw new RuntimeException("getTopPlayers: Invalid skill: $skillOriginal");
 	}
 	return Cache::remember("top_{$limit}_{$skill}", 2 * 60, function () use ($db, $limit, $skill) {
@@ -1199,64 +1164,15 @@ function getTopPlayers($limit = 5, $skill = POT::SKILL_LEVEL)
 			$columns[] = 'lookmount';
 		}
-		$query = Player::query()
+		return Player::query()
 			->select($columns)
 			->withOnlineStatus()
 			->notDeleted()
 			->where('group_id', '<', setting('core.highscores_groups_hidden'))
 			->whereNotIn('id', setting('core.highscores_ids_hidden'))
 			->where('account_id', '!=', 1)
-			->orderByDesc('value');
+			->orderByDesc($skill)
-
+			->limit($limit)
 		if ($limit > 0) {
 			$query->limit($limit);
 		}
 		if ($skill >= POT::SKILL_FIRST && $skill <= POT::SKILL_LAST) { // skills
 			if ($db->hasColumn('players', 'skill_fist')) {// tfs 1.0
 				$skill_ids = array(
 					POT::SKILL_FIST => 'skill_fist',
 					POT::SKILL_CLUB => 'skill_club',
 					POT::SKILL_SWORD => 'skill_sword',
 					POT::SKILL_AXE => 'skill_axe',
 					POT::SKILL_DIST => 'skill_dist',
 					POT::SKILL_SHIELD => 'skill_shielding',
 					POT::SKILL_FISH => 'skill_fishing',
 				);
 				$query
 					->addSelect($skill_ids[$skill] . ' as value')
 					->orderByDesc($skill_ids[$skill] . '_tries');
 			} else {
 				$query
 					->join('player_skills', 'player_skills.player_id', '=', 'players.id')
 					->where('skillid', $skill)
 					->addSelect('player_skills.value as value');
 			}
 		} else if ($skill == SKILL_FRAGS) // frags
 		{
 			if ($db->hasTable('player_killers')) {
 				$query->addSelect(['value' => PlayerKillers::whereColumn('player_killers.player_id', 'players.id')->selectRaw('COUNT(*)')]);
 			} else {
 				$query->addSelect(['value' => PlayerDeath::unjustified()->whereColumn('player_deaths.killed_by', 'players.name')->selectRaw('COUNT(*)')]);
 			}
 		} else if ($skill == SKILL_BALANCE) // balance
 		{
 			$query
 				->addSelect('players.balance as value');
 		} else {
 			if ($skill == POT::SKILL_MAGIC) {
 				$query
 					->addSelect('players.maglevel as value', 'players.maglevel')
 					->orderByDesc('manaspent');
 			} else { // level
 				$query
 					->addSelect('players.level as value', 'players.experience')
 					->orderByDesc('experience');
 			}
 		}
 		return $query
 			->get()
 			->map(function ($e, $i) {
 				$row = $e->toArray();
@@ -1808,8 +1724,8 @@ function getAccountIdentityColumn(): string
 function isCanary(): bool
 {
-	$dataPackDirectory = configLua('dataPackDirectory');
+	$vipSystemEnabled = configLua('vipSystemEnabled');
-	return isset($dataPackDirectory);
+	return isset($vipSystemEnabled);
 }
 function getStatusUptimeReadable(int $uptime): string
--- a/system/init.php
+++ b/system/init.php
@@ -14,7 +14,6 @@ use MyAAC\CsrfToken;
 use MyAAC\Hooks;
 use MyAAC\Plugins;
 use MyAAC\Models\Town;
 use MyAAC\Server\XML\Vocations;
 use MyAAC\Settings;
 defined('MYAAC') or die('Direct access not allowed!');
@@ -215,5 +214,3 @@ if (count($towns) <= 0) {
 config(['towns', $towns]);
 unset($towns);
 new Vocations();
--- a/system/libs/pot/OTS_Account.php
+++ b/system/libs/pot/OTS_Account.php
@@ -12,9 +12,6 @@
 * @license http://www.gnu.org/licenses/lgpl-3.0.txt GNU Lesser General Public License, Version 3
 */
 use MyAAC\Models\Account as AccountModel;
 use MyAAC\Models\AccountAction;
 /**
 * OTServ account abstraction.
 *
@@ -43,11 +40,7 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
 */
 	private $data = array('email' => '', 'rlname' => '','location' => '', 'country' => '','web_flags' => 0, 'lastday' => 0, 'premdays' => 0, 'created' => 0);
-	private array $columns = ['password', 'email', 'rlname', 'location', 'country', 'web_flags', 'created'];
+	public static $cache = array();
 	private array $optionalColumns = ['name', 'number', 'lastday', 'premdays', 'premium_ends_at', 'premend'];
 	public static array $cache = [];
 	const GRATIS_PREMIUM_DAYS = 65535;
 /**
@@ -332,50 +325,27 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
 */
 	public function save()
 	{
-		if (!isset($this->data['id'])) {
+		if( !isset($this->data['id']) )
 		{
 			throw new E_OTS_NotLoaded();
 		}
-		$defaultValues = [
+	$field = 'lastday';
-			'premium_ends_at' => 0,
+	if($this->db->hasColumn('accounts', 'premend')) { // othire
-			'lastday' => 0,
+			$field = 'premend';
-			'premend' => 0,
+		if(!isset($this->data['premend'])) {
-			'premdays' => 0,
+			$this->data['premend'] = 0;
 		];
 		foreach ($defaultValues as $key => $value) {
 			if (!isset($this->data[$key])) {
 				$this->data[$key] = $value;
 			}
 		}
-
+	}
-		$columns = $this->columns;
+	else if($this->db->hasColumn('accounts', 'premium_ends_at')) {
-		foreach ($this->optionalColumns as $column) {
+		$field = 'premium_ends_at';
-			if ($this->db->hasColumn('accounts', $column)) {
+		if(!isset($this->data['premium_ends_at'])) {
-				$columns[] = $column;
+			$this->data['premium_ends_at'] = 0;
 			}
 		}
 	}
-		$values = [];
+		// UPDATE query on database
-		foreach ($columns as $column) {
+		$this->db->exec('UPDATE `accounts` SET ' . ($this->db->hasColumn('accounts', 'name') ? '`name` = ' . $this->db->quote($this->data['name']) . ',' : '') . '`password` = ' . $this->db->quote($this->data['password']) . ', `email` = ' . $this->db->quote($this->data['email']) . ', `rlname` = ' . $this->db->quote($this->data['rlname']) . ', `location` = ' . $this->db->quote($this->data['location']) . ', `country` = ' . $this->db->quote($this->data['country']) . ', `web_flags` = ' . (int) $this->data['web_flags'] . ', ' . ($this->db->hasColumn('accounts', 'premdays') ? '`premdays` = ' . (int) $this->data['premdays'] . ',' : '') . '`' . $field . '` = ' . (int) $this->data[$field] . ' WHERE `id` = ' . $this->data['id']);
 			$value = $this->data[$column];
 			$values[$column] = $value;
 		}
 		// updates existing player
 		if( isset($this->data['id']) ) {
 			AccountModel::where('id', $this->data['id'])->update($values);
 		}
 		// creates new player
 		else {
 			$values['created'] = time();
 			$account = AccountModel::create($values);
 			// ID of new player
 			$this->data['id'] = $account->id;
 		}
 	}
 /**
@@ -534,17 +504,11 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
 * @since 0.7.5
 * @throws E_OTS_NotLoaded If account is not loaded.
 */
-	public function setPremDays($premdays): void
+	public function setPremDays($premdays)
 	{
 		$this->data['premdays'] = (int) $premdays;
-
+		$this->data['premend'] = time() + ($premdays * 24 * 60 * 60);
-		$premiumTimeInSeconds = time() + ($premdays * 24 * 60 * 60);
+		$this->data['premium_ends_at'] = time() + ($premdays * 24 * 60 * 60);
 		$this->data['premend'] = $premiumTimeInSeconds;
 		$this->data['premium_ends_at'] = $premiumTimeInSeconds;
 		if (isCanary()) {
 			$this->data['lastday'] = $premiumTimeInSeconds;
 		}
 	}
 	public function setRLName($name)
@@ -736,11 +700,17 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
 */
 	public function setCustomField($field, $value)
 	{
-		if( !isset($this->data['id']) ) {
+		if( !isset($this->data['id']) )
 		{
 			throw new E_OTS_NotLoaded();
 		}
-		AccountModel::where('id', $this->data['id'])->update([$field => $value]);
+		// quotes value for SQL query
 		if(!( is_int($value) || is_float($value) ))
 		{
 			$value = $this->db->quote($value);
 		}
 		$this->db->exec('UPDATE ' . $this->db->tableName('accounts') . ' SET ' . $this->db->fieldName($field) . ' = ' . $value . ' WHERE ' . $this->db->fieldName('id') . ' = ' . $this->data['id']);
 	}
 /**
@@ -1037,16 +1007,26 @@ class OTS_Account extends OTS_Row_DAO implements IteratorAggregate, Countable
 	public function logAction($action)
 	{
-		AccountAction::create([
+		$ip = get_browser_real_ip();
-			'account_id' => $this->getId(),
+		if(!str_contains($ip, ":")) {
-			'ip' => get_browser_real_ip(),
+			$ipv6 = '0';
-			'date' => time(),
+		}
-			'action' => $action,
+		else {
-		]);
+			$ipv6 = $ip;
 			$ip = '';
 		}
 		return $this->db->exec('INSERT INTO `' . TABLE_PREFIX . 'account_actions` (`account_id`, `ip`, `ipv6`, `date`, `action`) VALUES (' . $this->db->quote($this->getId()).', ' . ($ip == '' ? '0' : $this->db->quote(ip2long($ip))) . ', (' . ($ipv6 == '0' ? $this->db->quote('') : $this->db->quote(inet_pton($ipv6))) . '), UNIX_TIMESTAMP(NOW()), ' . $this->db->quote($action).')');
 	}
-	public function getActionsLog($limit) {
+	public function getActionsLog($limit1, $limit2)
-		return AccountAction::where('account_id', $this->data['id'])->orderByDesc('date')->limit($limit)->get()->toArray();
+	{
 		$actions = array();
 		foreach($this->db->query('SELECT `ip`, `ipv6`, `date`, `action` FROM `' . TABLE_PREFIX . 'account_actions` WHERE `account_id` = ' . $this->data['id'] . ' ORDER by `date` DESC LIMIT ' . $limit1 . ', ' . $limit2 . '')->fetchAll() as $a)
 			$actions[] = array('ip' => $a['ip'], 'ipv6' => $a['ipv6'], 'date' => $a['date'], 'action' => $a['action']);
 		return $actions;
 	}
 /**
 * Returns players iterator.
--- a/system/libs/pot/OTS_DB_MySQL.php
+++ b/system/libs/pot/OTS_DB_MySQL.php
@@ -26,7 +26,6 @@ use MyAAC\Cache\Cache;
 */
 class OTS_DB_MySQL extends OTS_Base_DB
 {
 	private bool $hasCacheChanged = false;
 	private array $has_table_cache = [];
 	private array $has_column_cache = [];
 	private array $get_column_info_cache = [];
@@ -165,7 +164,7 @@ class OTS_DB_MySQL extends OTS_Base_DB
 				$cache->delete('database_columns_info');
 				$cache->delete('database_checksum');
 			}
-			else if ($this->hasCacheChanged) {
+			else {
 				$cache->set('database_tables', serialize($this->has_table_cache), 3600);
 				$cache->set('database_columns', serialize($this->has_column_cache), 3600);
 				$cache->set('database_columns_info', serialize($this->get_column_info_cache), 3600);
@@ -229,8 +228,6 @@ class OTS_DB_MySQL extends OTS_Base_DB
 	private function hasTableInternal($name): bool
 	{
 		$this->hasCacheChanged = true;
 		return ($this->has_table_cache[$name] = $this->query('SELECT `TABLE_NAME` FROM `information_schema`.`tables` WHERE `TABLE_SCHEMA` = ' . $this->quote(config('database_name')) . ' AND `TABLE_NAME` = ' . $this->quote($name) . ' LIMIT 1;')->rowCount() > 0);
 	}
@@ -244,8 +241,6 @@ class OTS_DB_MySQL extends OTS_Base_DB
 	}
 	private function hasColumnInternal($table, $column): bool {
 		$this->hasCacheChanged = true;
 		return $this->hasTable($table) && ($this->has_column_cache[$table . '.' . $column] = count($this->query('SHOW COLUMNS FROM `' . $table . "` LIKE " . $this->quote($column))->fetchAll()) > 0);
 	}
@@ -277,14 +272,11 @@ class OTS_DB_MySQL extends OTS_Base_DB
 			return false;
 		}
 		$this->hasCacheChanged = true;
 		$formatResult = function ($result) {
 			return [
 				'field' => $result['Field'],
 				'type' => $result['Type'],
 				'null' => strtolower($result['Null']),
 				'key' => strtolower($result['Key'] ?? ''),
 				'default' => $result['Default'],
 				'extra' => $result['Extra'],
 			];
--- a/system/libs/pot/OTS_Player.php
+++ b/system/libs/pot/OTS_Player.php
@@ -1,6 +1,20 @@
 <?php
-
+$__load = array();
-use MyAAC\Models\Player as PlayerModel;
+/*
 	'loss_experience' => NULL,
 	'loss_items' => NULL,
 	'guild_info' => NULL,
 	'skull_type' => NULL,
 	'skull_time' => NULL,
 	'blessings' => NULL,
 	'direction' => NULL,
 	'stamina' => NULL,
 	'world_id' => NULL,
 	'online' => NULL,
 	'deletion' => NULL,
 	'promotion' => NULL,
 	'marriage' => NULL
 );*/
 /**#@+
 * @version 0.0.1
@@ -95,10 +109,6 @@ class OTS_Player extends OTS_Row_DAO
 		POT::SKILL_FISH => array('value' => 0, 'tries' => 0)
 	);
 	private array $columns = ['name', 'account_id', 'group_id', 'sex', 'vocation', 'experience', 'level', 'maglevel', 'health', 'healthmax', 'mana', 'manamax', 'manaspent', 'soul', 'lookbody', 'lookfeet', 'lookhead', 'looklegs', 'looktype', 'posx', 'posy', 'posz', 'lastlogin', 'lastlogout', 'lastip', 'town_id', 'balance', 'created', 'comment', 'hide'];
 	private array $optionalColumns = ['cap', 'skull', 'skull_type', 'skull_time', 'loss_experience', 'loss_mana', 'loss_skills', 'loss_items', 'loss_containers', 'guildnick', 'rank_id', 'promotion', 'direction', 'blessings', 'stamina', 'lookaddons', 'save', 'conditions', 'world_id', 'online', 'deletion', 'deleted', 'marriage'];
 	private static array $playersOnline;
 /**
 * Magic PHP5 method.
@@ -123,14 +133,90 @@ class OTS_Player extends OTS_Row_DAO
 */
 	public function load($id, $fields = null, $load_skills = true)
 	{
-		$columns = $this->columns;
+		global $__load;
-		foreach ($this->optionalColumns as $column) {
+
-			if ($this->db->hasColumn('players', $column)) {
+		if(!isset($__load['loss_experience']))
-				$columns[] = $column;
+		{
 			$loss = '';
 			if($this->db->hasColumn('players', 'loss_experience')) {
 				$loss = ', `loss_experience`, `loss_mana`, `loss_skills`';
 			}
 			$__load['loss_experience'] = $loss;
 		}
 		if(!isset($__load['loss_items']))
 		{
 			$loss_items = '';
 			if($this->db->hasColumn('players', 'loss_items')) {
 				$loss_items = ', `loss_items`, `loss_containers`';
 			}
 			$__load['loss_items'] = $loss_items;
 		}
 		if(!isset($__load['guild_info']))
 		{
 			$guild_info = '';
 			if(!$this->db->hasTable('guild_members') && $this->db->hasColumn('players', 'guildnick')) {
 				$guild_info = ', `guildnick`, `rank_id`';
 			}
 			$__load['guild_info'] = $guild_info;
 		}
 		if(!isset($__load['skull_type']))
 		{
 			$skull_type = 'skull';
 			if($this->db->hasColumn('players', 'skull_type')) {
 				$skull_type = 'skull_type';
 			}
 			$__load['skull_type'] = $skull_type;
 		}
 		if(!isset($__load['skull_time']))
 		{
 			$skull_time = 'skulltime';
 			if($this->db->hasColumn('players', 'skull_time')) {
 				$skull_time = 'skull_time';
 			}
 			$__load['skull_time'] = $skull_time;
 		}
 		if(!isset($__load['blessings'])) {
 			$__load['blessings'] = $this->db->hasColumn('players', 'blessings');
 		}
 		if(!isset($__load['direction'])) {
 			$__load['direction'] = $this->db->hasColumn('players', 'direction');
 		}
 		if(!isset($__load['stamina'])) {
 			$__load['stamina'] = $this->db->hasColumn('players', 'stamina');
 		}
 		if(!isset($__load['world_id'])) {
 			$__load['world_id'] = $this->db->hasColumn('players', 'world_id');
 		}
 		if(!isset($__load['online'])) {
 			$__load['online'] = $this->db->hasColumn('players', 'online');
 		}
 		if(!isset($__load['deletion'])) {
 			$__load['deletion'] = $this->db->hasColumn('players', 'deletion');
 		}
 		if(!isset($__load['promotion'])) {
 			$__load['promotion'] = $this->db->hasColumn('players', 'promotion');
 		}
 		if(!isset($__load['marriage'])) {
 			$__load['marriage'] = $this->db->hasColumn('players', 'marriage');
 		}
 		if(isset($fields)) { // load only what we wish
 			if(in_array('promotion', $fields)) {
 				if(!$this->db->hasColumn('players', 'promotion')) {
 					unset($fields[array_search('promotion', $fields)]);
 				}
 			}
 			if(in_array('deleted', $fields)) {
 				if($this->db->hasColumn('players', 'deletion')) {
 					unset($fields[array_search('deleted', $fields)]);
@@ -138,21 +224,21 @@ class OTS_Player extends OTS_Row_DAO
 				}
 			}
-			$columns = [];
+			if(in_array('online', $fields)) {
-			foreach ($fields as $field) {
+				if(!$this->db->hasColumn('players', 'online')) {
-				if ($this->db->hasColumn('players', $field)) {
+					unset($fields[array_search('online', $fields)]);
 					$columns[] = $field;
 				}
 			}
 			$this->data = $this->db->query('SELECT ' . implode(', ', $fields) . ' FROM `players` WHERE `id` = ' . (int)$id)->fetch();
 		}
 		else {
 			// SELECT query on database
 			$this->data = $this->db->query('SELECT `id`, `name`, `account_id`, `group_id`, `sex`, `vocation`, `experience`, `level`, `maglevel`, `health`, `healthmax`, `mana`, `manamax`, `manaspent`, `soul`, `lookbody`, `lookfeet`, `lookhead`, `looklegs`, `looktype`' . ($this->db->hasColumn('players', 'lookaddons') ? ', `lookaddons`' : '') . ', `posx`, `posy`, `posz`, `cap`, `lastlogin`, `lastlogout`, `lastip`, `save`, `conditions`, `' . $__load['skull_time'] . '` as `skulltime`, `' . $__load['skull_type'] . '` as `skull`' . $__load['guild_info'] . ', `town_id`' . $__load['loss_experience'] . $__load['loss_items'] . ', `balance`' . ($__load['blessings'] ? ', `blessings`' : '') . ($__load['direction'] ? ', `direction`' : '') . ($__load['stamina'] ? ', `stamina`' : '') . ($__load['world_id'] ? ', `world_id`' : '') . ($__load['online'] ? ', `online`' : '') . ', `' . ($__load['deletion'] ? 'deletion' : 'deleted') . '`' . ($__load['promotion'] ? ', `promotion`' : '') . ($__load['marriage'] ? ', `marriage`' : '') . ', `comment`, `created`, `hide` FROM `players` WHERE `id` = ' . (int)$id)->fetch();
 		}
 		array_unshift($columns, 'id');
 		$query = PlayerModel::where('id', $id)->first($columns);
 		$this->data = $query ? $query->toArray() : [];
 		// loads skills
-		if( $this->isLoaded() && $load_skills) {
+		if( $this->isLoaded() && $load_skills)
 		{
 			if($this->db->hasColumn('players', 'skill_fist')) {
 				$skill_ids = array(
@@ -232,65 +318,153 @@ class OTS_Player extends OTS_Row_DAO
 */
 	public function save()
 	{
-		$defaultValues = [
+		$skull_type = 'skull';
-			'cap' => 0,
+		if($this->db->hasColumn('players', 'skull_type')) {
-			'skull' => 0,
+			$skull_type = 'skull_type';
 			'skull_type' => 0,
 			'skull_time' => 0,
 			'loss_experience' => 100,
 			'loss_mana' => 100,
 			'loss_skills' => 100,
 			'loss_items' => 100,
 			'loss_containers' => 100,
 			'guildnick' => '',
 			'rank_id' => 0,
 			'promotion' => 0,
 			'direction' => 0,
 			'blessings' => 0,
 			'stamina' => 0,
 			'lookaddons' => 0,
 			'save' => 1,
 			'conditions' => '',
 			'town_id' => 1,
 			'world_id' => 1,
 			'online' => 0,
 			'deletion' => 0,
 			'deleted' => 0,
 			'marriage' => 0,
 		];
 		foreach ($defaultValues as $key => $value) {
 			if (!isset($this->data[$key])) {
 				$this->data[$key] = $value;
 			}
 		}
-		$columns = $this->columns;
+		$skull_time = 'skulltime';
-		foreach ($this->optionalColumns as $column) {
+		if($this->db->hasColumn('players', 'skull_time')) {
-			if ($this->db->hasColumn('players', $column)) {
+			$skull_time = 'skull_time';
 				$columns[] = $column;
 			}
 		}
-		$values = [];
+		if(!isset($this->data['loss_experience']))
-		foreach ($columns as $column) {
+			$this->data['loss_experience'] = 100;
 			$value = $this->data[$column];
-			$values[$column] = $value;
+		if(!isset($this->data['loss_mana']))
-		}
+			$this->data['loss_mana'] = 100;
 		if(!isset($this->data['loss_skills']))
 			$this->data['loss_skills'] = 100;
 		if(!isset($this->data['loss_items']))
 			$this->data['loss_items'] = 10;
 		if(!isset($this->data['loss_containers']))
 			$this->data['loss_containers'] = 100;
 		if(!isset($this->data['guildnick']))
 			$this->data['guildnick'] = '';
 		if(!isset($this->data['rank_id']))
 			$this->data['rank_id'] = 0;
 		if(!isset($this->data['promotion']))
 			$this->data['promotion'] = 0;
 		if(!isset($this->data['direction']))
 			$this->data['direction'] = 0;
 		if(!isset($this->data['conditions']))
 			$this->data['conditions'] = '';
 		if(!isset($this->data['town_id']))
 			$this->data['town_id'] = 1;
 		// updates existing player
-		if( isset($this->data['id']) ) {
+		if( isset($this->data['id']) )
-			PlayerModel::where('id', $this->data['id'])->update($values);
+		{
 			$loss = '';
 			if($this->db->hasColumn('players', 'loss_experience')) {
 				$loss = ', `loss_experience` = ' . $this->data['loss_experience'] . ', `loss_mana` = ' . $this->data['loss_mana'] . ', `loss_skills` = ' . $this->data['loss_skills'];
 			}
 			$loss_items = '';
 			if($this->db->hasColumn('players', 'loss_items')) {
 				$loss_items = ', `loss_items` = ' . $this->data['loss_items'] . ', `loss_containers` = ' . $this->data['loss_containers'];
 			}
 			$guild_info = '';
 			if(!$this->db->hasTable('guild_members') && $this->db->hasColumn('players', 'guildnick')) {
 				$guild_info = ', `guildnick` = ' . $this->db->quote($this->data['guildnick']) . ', ' . $this->db->fieldName('rank_id') . ' = ' . $this->data['rank_id'];
 			}
 			$direction = '';
 			if($this->db->hasColumn('players', 'direction')) {
 				$direction = ', `direction` = ' . $this->db->quote($this->data['direction']);
 			}
 			$blessings = '';
 			if($this->db->hasColumn('players', 'blessings')) {
 				$blessings = ', `blessings` = ' . $this->db->quote($this->data['blessings']);
 			}
 			$stamina = '';
 			if($this->db->hasColumn('players', 'stamina')) {
 				$stamina = ', `stamina` = ' . $this->db->quote($this->data['stamina']);
 			}
 			$lookaddons = '';
 			if($this->db->hasColumn('players', 'lookaddons')) {
 				$lookaddons = ', `lookaddons` = ' . $this->db->quote($this->data['lookaddons']);
 			}
 			// UPDATE query on database
 			$this->db->query('UPDATE ' . $this->db->tableName('players') . ' SET ' . $this->db->fieldName('name') . ' = ' . $this->db->quote($this->data['name']) . ', ' . $this->db->fieldName('account_id') . ' = ' . $this->data['account_id'] . ', ' . $this->db->fieldName('group_id') . ' = ' . $this->data['group_id'] . ', ' . $this->db->fieldName('sex') . ' = ' . $this->data['sex'] . ', ' . $this->db->fieldName('vocation') . ' = ' . $this->data['vocation'] . ', ' . $this->db->fieldName('experience') . ' = ' . $this->data['experience'] . ', ' . $this->db->fieldName('level') . ' = ' . $this->data['level'] . ', ' . $this->db->fieldName('maglevel') . ' = ' . $this->data['maglevel'] . ', ' . $this->db->fieldName('health') . ' = ' . $this->data['health'] . ', ' . $this->db->fieldName('healthmax') . ' = ' . $this->data['healthmax'] . ', ' . $this->db->fieldName('mana') . ' = ' . $this->data['mana'] . ', ' . $this->db->fieldName('manamax') . ' = ' . $this->data['manamax'] . ', ' . $this->db->fieldName('manaspent') . ' = ' . $this->data['manaspent'] . ', ' . $this->db->fieldName('soul') . ' = ' . $this->data['soul'] . ', ' . $this->db->fieldName('lookbody') . ' = ' . $this->data['lookbody'] . ', ' . $this->db->fieldName('lookfeet') . ' = ' . $this->data['lookfeet'] . ', ' . $this->db->fieldName('lookhead') . ' = ' . $this->data['lookhead'] . ', ' . $this->db->fieldName('looklegs') . ' = ' . $this->data['looklegs'] . ', ' . $this->db->fieldName('looktype') . ' = ' . $this->data['looktype'] . $lookaddons . ', ' . $this->db->fieldName('posx') . ' = ' . $this->data['posx'] . ', ' . $this->db->fieldName('posy') . ' = ' . $this->data['posy'] . ', ' . $this->db->fieldName('posz') . ' = ' . $this->data['posz'] . ', ' . $this->db->fieldName('cap') . ' = ' . $this->data['cap'] . ', ' . $this->db->fieldName('lastlogin') . ' = ' . $this->data['lastlogin'] . ', ' . $this->db->fieldName('lastlogout') . ' = ' . $this->data['lastlogout'] . ', ' . $this->db->fieldName('lastip') . ' = ' . $this->db->quote($this->data['lastip']) . ', ' . $this->db->fieldName('save') . ' = ' . (int) $this->data['save'] . ', ' . $this->db->fieldName('conditions') . ' = ' . $this->db->quote($this->data['conditions']) . ', `' . $skull_time . '` = ' . $this->data['skulltime'] . ', `' . $skull_type . '` = ' . (int) $this->data['skull'] . $guild_info . ', ' . $this->db->fieldName('town_id') . ' = ' . $this->data['town_id'] . $loss . $loss_items . ', ' . $this->db->fieldName('balance') . ' = ' . $this->data['balance'] . $blessings . $stamina . $direction . ' WHERE ' . $this->db->fieldName('id') . ' = ' . $this->data['id']);
 		}
 		// creates new player
-		else {
+		else
-			$values['created'] = time();
+		{
 			$loss = '';
 			$loss_data = '';
 			if($this->db->hasColumn('players', 'loss_experience')) {
 				$loss = ', `loss_experience`, `loss_mana`, `loss_skills`';
 				$loss_data = ', ' . $this->data['loss_experience'] . ', ' . $this->data['loss_mana'] . ', ' . $this->data['loss_skills'];
 			}
-			$player = PlayerModel::create($values);
+			$loss_items = '';
 			$loss_items_data = '';
 			if($this->db->hasColumn('players', 'loss_items')) {
 				$loss_items = ', `loss_items`, `loss_containers`';
 				$loss_items_data = ', ' . $this->data['loss_items'] . ', ' . $this->data['loss_containers'];
 			}
-			// ID of new player
+			$guild_info = '';
-			$this->data['id'] = $player->id;
+			$guild_info_data = '';
 			if(!$this->db->hasTable('guild_members') && $this->db->hasColumn('players', 'guildnick')) {
 				$guild_info = ', `guildnick`, `rank_id`';
 				$guild_info_data = ', ' . $this->db->quote($this->data['guildnick']) . ', ' . $this->data['rank_id'];
 			}
 			$promotion = '';
 			$promotion_data = '';
 			if($this->db->hasColumn('players', 'promotion')) {
 				$promotion = ', `promotion`';
 				$promotion_data = ', ' . $this->data['promotion'];
 			}
 			$direction = '';
 			$direction_data = '';
 			if($this->db->hasColumn('players', 'direction')) {
 				$direction = ', `direction`';
 				$direction_data = ', ' . $this->data['direction'];
 			}
 			$blessings = '';
 			$blessings_data = '';
 			if($this->db->hasColumn('players', 'blessings')) {
 				$blessings = ', `blessings`';
 				$blessings_data = ', ' . $this->data['blessings'];
 			}
 			$stamina = '';
 			$stamina_data = '';
 			if($this->db->hasColumn('players', 'stamina')) {
 				$stamina = ', `stamina`';
 				$stamina_data = ', ' . $this->data['stamina'];
 			}
 			$lookaddons = '';
 			$lookaddons_data = '';
 			if($this->db->hasColumn('players', 'lookaddons')) {
 				$lookaddons = ', `lookaddons`';
 				$lookaddons_data = ', ' . $this->data['lookaddons'];
 			}
 			// INSERT query on database
 			$this->db->query('INSERT INTO `players` (`name`, `account_id`, `group_id`, `sex`, `vocation`, `experience`, `level`, `maglevel`, `health`, `healthmax`, `mana`, `manamax`, `manaspent`, `soul`, `lookbody`, `lookfeet`, `lookhead`, `looklegs`, `looktype`' . $lookaddons . ', `posx`, `posy`, `posz`, `cap`, `lastlogin`, `lastlogout`, `lastip`, `save`, `conditions`, `' . $skull_time . '`, `' . $skull_type . '`' . $guild_info . ', `town_id`' . $loss . $loss_items . ', `balance`' . $blessings . $stamina . $direction . ', `created`' . $promotion . ', `comment`) VALUES (' . $this->db->quote($this->data['name']) . ', ' . $this->data['account_id'] . ', ' . $this->data['group_id'] . ', ' . $this->data['sex'] . ', ' . $this->data['vocation'] . ', ' . $this->data['experience'] . ', ' . $this->data['level'] . ', ' . $this->data['maglevel'] . ', ' . $this->data['health'] . ', ' . $this->data['healthmax'] . ', ' . $this->data['mana'] . ', ' . $this->data['manamax'] . ', ' . $this->data['manaspent'] . ', ' . $this->data['soul'] . ', ' . $this->data['lookbody'] . ', ' . $this->data['lookfeet'] . ', ' . $this->data['lookhead'] . ', ' . $this->data['looklegs'] . ', ' . $this->data['looktype'] . $lookaddons_data . ', ' . $this->data['posx'] . ', ' . $this->data['posy'] . ', ' . $this->data['posz'] . ', ' . $this->data['cap'] . ', ' . $this->data['lastlogin'] . ', ' . $this->data['lastlogout'] . ', ' . $this->data['lastip'] . ', ' . (int) $this->data['save'] . ', ' . $this->db->quote($this->data['conditions']) . ', ' . $this->data['skulltime'] . ', ' . (int) $this->data['skull'] . $guild_info_data . ', ' . $this->data['town_id'] . $loss_data . $loss_items_data . ', ' . $this->data['balance'] . $blessings_data . $stamina_data . $direction_data . ', ' . time() . $promotion_data . ', "")');
 			// ID of new group
 			$this->data['id'] = $this->db->lastInsertId();
 		}
 		// updates skills - doesn't matter if we have just created character - trigger inserts new skills
@@ -316,7 +490,7 @@ class OTS_Player extends OTS_Row_DAO
 					$set .= ',';
 			}
-			$this->db->query('UPDATE `players` SET ' . $set . ' WHERE `id` = ' . $this->data['id']);
+			$skills = $this->db->query('UPDATE `players` SET ' . $set . ' WHERE `id` = ' . $this->data['id']);
 		}
 		else if($this->db->hasTable('player_skills')) {
 			foreach($this->skills as $id => $skill)
@@ -574,25 +748,21 @@ class OTS_Player extends OTS_Row_DAO
 	public function isDeleted()
 	{
-		$column = 'deleted';
+		$field = 'deleted';
 		if($this->db->hasColumn('players', 'deletion'))
-			$column = 'deletion';
+			$field = 'deletion';
-		if( !isset($this->data[$column]) )
+		if( !isset($this->data[$field]) )
 		{
 			throw new E_OTS_NotLoaded();
 		}
-		return $this->data[$column] > 0;
+		return $this->data[$field] > 0;
 	}
 	public function setDeleted($deleted)
 	{
-		$column = 'deleted';
+		$this->data['deleted'] = (int) $deleted;
 		if($this->db->hasColumn('players', 'deletion'))
 			$column = 'deletion';
 		$this->data[$column] = (int) $deleted;
 	}
 	public function isOnline()
@@ -682,7 +852,13 @@ class OTS_Player extends OTS_Row_DAO
 			throw new E_OTS_NotLoaded();
 		}
-		return \OTS_Toolbox::getVocationFromPromotion($this->data['vocation'], $this->data['promotion'] ?? 0);
+		if(isset($this->data['promotion'])) {
 			global $config;
 			if((int)$this->data['promotion'] > 0)
 				return ($this->data['vocation'] + ($this->data['promotion'] * $config['vocations_amount']));
 		}
 		return $this->data['vocation'];
 	}
@@ -1398,7 +1574,12 @@ class OTS_Player extends OTS_Row_DAO
 */
 	public function getCap()
 	{
-		return $this->data['cap'] ?? 0;
+		if( !isset($this->data['cap']) )
 		{
 			throw new E_OTS_NotLoaded();
 		}
 		return $this->data['cap'];
 	}
 /**
@@ -1611,12 +1792,12 @@ class OTS_Player extends OTS_Row_DAO
 */
 	public function getSkullTime()
 	{
-		$column = 'skulltime';
+		if( !isset($this->data['skulltime']) )
-		if($this->db->hasColumn('players', 'skull_time')) {
+		{
-			$column = 'skull_time';
+			throw new E_OTS_NotLoaded();
 		}
-		return $this->data[$column] ?? 0;
+		return $this->data['skulltime'];
 	}
 /**
@@ -1630,12 +1811,7 @@ class OTS_Player extends OTS_Row_DAO
 */
 	public function setSkullTime($skulltime)
 	{
-		$column = 'skulltime';
+		$this->data['skulltime'] = (int) $skulltime;
 		if($this->db->hasColumn('players', 'skull_time')) {
 			$column = 'skull_time';
 		}
 		$this->data[$column] = (int) $skulltime;
 	}
 /**
@@ -3074,10 +3250,6 @@ class OTS_Player extends OTS_Row_DAO
 		return 0;
 	}
 	public function setData(array $data): void{
 		$this->data = $data;
 	}
 /**
 * Magic PHP5 method.
 *
--- a/system/libs/pot/OTS_Toolbox.php
+++ b/system/libs/pot/OTS_Toolbox.php
@@ -13,8 +13,6 @@
 * @license http://www.gnu.org/licenses/lgpl-3.0.txt GNU Lesser General Public License, Version 3
 */
 use MyAAC\Server\XML\Vocations;
 /**
 * Toolbox for common operations.
 *
@@ -112,21 +110,14 @@ class OTS_Toolbox
 		$list->setFilter($filter);
 		return $list;
 	}
-	public static function getVocationFromPromotion($id, $promotion = 0): int
+
 	public static function getVocationName($id, $promotion = 0): string
 	{
 		if($promotion > 0) {
-			for ($i = 0; $i < $promotion; $i++) {
+			$id = ($id + ($promotion * config('vocations_amount')));
 				if ($_id = Vocations::getPromoted($id)) {
 					$id = $_id;
 				}
 			}
 		}
-		return $id;
+		return config('vocations')[$id] ?? 'Unknown';
 	}
 	public static function getVocationName($id, $promotion = 0): string {
 		return config('vocations')[self::getVocationFromPromotion($id, $promotion)] ?? 'Unknown';
 	}
 }
--- a/system/libs/rfc6238.php
+++ b/system/libs/rfc6238.php
@@ -0,0 +1,284 @@
 <?php
 /** https://github.com/Voronenko/PHPOTP/blob/08cda9cb9c30b7242cf0b3a9100a6244a2874927/code/base32static.php
 * Encode in Base32 based on RFC 4648.
 * Requires 20% more space than base64
 * Great for case-insensitive filesystems like Windows and URL's  (except for = char which can be excluded using the pad option for urls)
 *
 * @package default
 * @author Bryan Ruiz
 **/
 class Base32Static {
 	private static $map = array(
 		'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', //  7
 		'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', // 15
 		'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', // 23
 		'Y', 'Z', '2', '3', '4', '5', '6', '7', // 31
 		'='  // padding character
 	);
 	private static $flippedMap = array(
 		'A'=>'0', 'B'=>'1', 'C'=>'2', 'D'=>'3', 'E'=>'4', 'F'=>'5', 'G'=>'6', 'H'=>'7',
 		'I'=>'8', 'J'=>'9', 'K'=>'10', 'L'=>'11', 'M'=>'12', 'N'=>'13', 'O'=>'14', 'P'=>'15',
 		'Q'=>'16', 'R'=>'17', 'S'=>'18', 'T'=>'19', 'U'=>'20', 'V'=>'21', 'W'=>'22', 'X'=>'23',
 		'Y'=>'24', 'Z'=>'25', '2'=>'26', '3'=>'27', '4'=>'28', '5'=>'29', '6'=>'30', '7'=>'31'
 	);
 	/**
 	 * Use padding false when encoding for urls
 	 *
 	 * @return base32 encoded string
 	 * @author Bryan Ruiz
 	 **/
 	public static function encode($input, $padding = true) {
 		if(empty($input)) return "";
 		$input = str_split($input);
 		$binaryString = "";
 		for($i = 0; $i < count($input); $i++) {
 			$binaryString .= str_pad(base_convert(ord($input[$i]), 10, 2), 8, '0', STR_PAD_LEFT);
 		}
 		$fiveBitBinaryArray = str_split($binaryString, 5);
 		$base32 = "";
 		$i=0;
 		while($i < count($fiveBitBinaryArray)) {
 			$base32 .= self::$map[base_convert(str_pad($fiveBitBinaryArray[$i], 5,'0'), 2, 10)];
 			$i++;
 		}
 		if($padding && ($x = strlen($binaryString) % 40) != 0) {
 			if($x == 8) $base32 .= str_repeat(self::$map[32], 6);
 			else if($x == 16) $base32 .= str_repeat(self::$map[32], 4);
 			else if($x == 24) $base32 .= str_repeat(self::$map[32], 3);
 			else if($x == 32) $base32 .= self::$map[32];
 		}
 		return $base32;
 	}
 	public static function decode($input) {
 		if(empty($input)) return;
 		$paddingCharCount = substr_count($input, self::$map[32]);
 		$allowedValues = array(6,4,3,1,0);
 		if(!in_array($paddingCharCount, $allowedValues)) return false;
 		for($i=0; $i<4; $i++){
 			if($paddingCharCount == $allowedValues[$i] &&
 				substr($input, -($allowedValues[$i])) != str_repeat(self::$map[32], $allowedValues[$i])) return false;
 		}
 		$input = str_replace('=','', $input);
 		$input = str_split($input);
 		$binaryString = "";
 		for($i=0; $i < count($input); $i = $i+8) {
 			$x = "";
 			if(!in_array($input[$i], self::$map)) return false;
 			for($j=0; $j < 8; $j++) {
 				$x .= str_pad(base_convert(@self::$flippedMap[@$input[$i + $j]], 10, 2), 5, '0', STR_PAD_LEFT);
 			}
 			$eightBits = str_split($x, 8);
 			for($z = 0; $z < count($eightBits); $z++) {
 				$binaryString .= ( ($y = chr(base_convert($eightBits[$z], 2, 10))) || ord($y) == 48 ) ? $y:"";
 			}
 		}
 		return $binaryString;
 	}
 }
 // http://www.faqs.org/rfcs/rfc6238.html
 // https://github.com/Voronenko/PHPOTP/blob/08cda9cb9c30b7242cf0b3a9100a6244a2874927/code/rfc6238.php
 // Local changes: http -> https, consistent indentation, 200x200 -> 300x300 QR image size, PHP end tag
 class TokenAuth6238 {
 	/**
 	 * verify
 	 *
 	 * @param string $secretkey Secret clue (base 32).
 	 * @return bool True if success, false if failure
 	 */
 	public static function verify($secretkey, $code, $rangein30s = 3) {
 		$key = base32static::decode($secretkey);
 		$unixtimestamp = time()/30;
 		for($i=-($rangein30s); $i<=$rangein30s; $i++) {
 			$checktime = (int)($unixtimestamp+$i);
 			$thiskey = self::oath_hotp($key, $checktime);
 			if ((int)$code == self::oath_truncate($thiskey,6)) {
 				return true;
 			}
 		}
 		return false;
 	}
 	public static function getTokenCode($secretkey,$rangein30s = 3) {
 		$result = "";
 		$key = base32static::decode($secretkey);
 		$unixtimestamp = time()/30;
 		for($i=-($rangein30s); $i<=$rangein30s; $i++) {
 			$checktime = (int)($unixtimestamp+$i);
 			$thiskey = self::oath_hotp($key, $checktime);
 			$result = $result." # ".self::oath_truncate($thiskey,6);
 		}
 		return $result;
 	}
 	public static function getTokenCodeDebug($secretkey,$rangein30s = 3) {
 		$result = "";
 		print "<br/>SecretKey: $secretkey <br/>";
 		$key = base32static::decode($secretkey);
 		print "Key(base 32 decode): $key <br/>";
 		$unixtimestamp = time()/30;
 		print "UnixTimeStamp (time()/30): $unixtimestamp <br/>";
 		for($i=-($rangein30s); $i<=$rangein30s; $i++) {
 			$checktime = (int)($unixtimestamp+$i);
 			print "Calculating oath_hotp from (int)(unixtimestamp +- 30sec offset): $checktime basing on secret key<br/>";
 			$thiskey = self::oath_hotp($key, $checktime, true);
 			print "======================================================<br/>";
 			print "CheckTime: $checktime oath_hotp:".$thiskey."<br/>";
 			$result = $result." # ".self::oath_truncate($thiskey,6,true);
 		}
 		return $result;
 	}
 	public static function getBarCodeUrl($username, $domain, $secretkey, $issuer) {
 		$url = "https://chart.apis.google.com/chart";
 		$url = $url."?chs=300x300&chld=M|0&cht=qr&chl=otpauth://totp/";
 		$url = $url.$username . "@" . $domain . "%3Fsecret%3D" . $secretkey . '%26issuer%3D' . rawurlencode($issuer);
 		return $url;
 	}
 	public static function generateRandomClue($length = 16) {
 		$b32 = "234567QWERTYUIOPASDFGHJKLZXCVBNM";
 		$s = "";
 		for ($i = 0; $i < $length; $i++)
 			$s .= $b32[rand(0,31)];
 		return $s;
 	}
 	private static function hotp_tobytestream($key) {
 		$result = array();
 		$last = strlen($key);
 		for ($i = 0; $i < $last; $i = $i + 2) {
 			$x = $key[$i] + $key[$i + 1];
 			$x = strtoupper($x);
 			$x = hexdec($x);
 			$result =  $result.chr($x);
 		}
 		return $result;
 	}
 	private static function oath_hotp ($key, $counter, $debug=false) {
 		$result = "";
 		$orgcounter = $counter;
 		$cur_counter = array(0,0,0,0,0,0,0,0);
 		if ($debug) {
 			print "Packing counter $counter (".dechex($counter).")into binary string - pay attention to hex representation of key and binary representation<br/>";
 		}
 		for($i=7;$i>=0;$i--) { // C for unsigned char, * for  repeating to the end of the input data
 			$cur_counter[$i] = pack ('C*', $counter);
 			if ($debug)  {
 				print $cur_counter[$i]."(".dechex(ord($cur_counter[$i])).")"." from $counter <br/>";
 			}
 			$counter = $counter >> 8;
 		}
 		if ($debug) {
 			foreach ($cur_counter as $char) {
 				print ord($char) . " ";
 			}
 			print "<br/>";
 		}
 		$binary = implode($cur_counter);
 		// Pad to 8 characters
 		str_pad($binary, 8, chr(0), STR_PAD_LEFT);
 		if ($debug)  {
 			print "Prior to HMAC calculation pad with zero on the left until 8 characters.<br/>";
 			print "Calculate sha1 HMAC(Hash-based Message Authentication Code http://en.wikipedia.org/wiki/HMAC).<br/>";
 			print "hash_hmac ('sha1', $binary, $key)<br/>";
 		}
 		$result = hash_hmac ('sha1', $binary, $key);
 		if ($debug) {
 			print "Result: $result <br/>";
 		}
 		return $result;
 	}
 	private static function oath_truncate($hash, $length = 6, $debug=false) {
 		$result="";
 		// Convert to dec
 		if($debug) {
 			print "converting hex hash into characters<br/>";
 		}
 		$hashcharacters = str_split($hash,2);
 		if($debug) {
 			print_r($hashcharacters);
 			print "<br/>and convert to decimals:<br/>";
 		}
 		for ($j=0; $j<count($hashcharacters); $j++) {
 			$hmac_result[]=hexdec($hashcharacters[$j]);
 		}
 		if($debug) {
 			print_r($hmac_result);
 		}
 		// http://php.net/manual/ru/function.hash-hmac.php
 		// adopted from brent at thebrent dot net 21-May-2009 08:17 comment
 		$offset = $hmac_result[19] & 0xf;
 		if($debug) {
 			print "Calculating offset as 19th element of hmac:".$hmac_result[19]."<br/>";
 			print "offset:".$offset;
 		}
 		$result = (
 				(($hmac_result[$offset+0] & 0x7f) << 24 ) |
 				(($hmac_result[$offset+1] & 0xff) << 16 ) |
 				(($hmac_result[$offset+2] & 0xff) << 8 ) |
 				($hmac_result[$offset+3] & 0xff)
 			) % pow(10,$length);
 		return $result;
 	}
 }
--- a/system/locale/de/install.php
+++ b/system/locale/de/install.php
@@ -20,7 +20,7 @@ $locale['not_loaded'] = 'Nicht geladen';
 $locale['loading_spinner'] = 'Bitte warten, installieren...';
 $locale['importing_spinner'] = 'Bitte warte, Daten werden importiert...';
 $locale['please_fill_all'] = 'Bitte füllen Sie alle Felder aus!';
-$locale['already_installed'] = 'MyAAC wurde bereits installiert. Bitte löschen <b>install/</b> Verzeichnis. Wenn Sie MyAAC neu installieren möchten, löschen Sie die Datei <strong>config.local.php</strong> aus dem Hauptverzeichnis und aktualisieren Sie die Seite.';
+$locale['already_installed'] = 'MyAAC wurde bereits installiert. Wenn Sie MyAAC neu installieren möchten, löschen Sie die Datei <strong>config.local.php</strong> aus dem Hauptverzeichnis und aktualisieren Sie die Seite.';
 // welcome
 $locale['step_welcome'] = 'Willkommen';
--- a/system/locale/en/install.php
+++ b/system/locale/en/install.php
@@ -20,7 +20,7 @@ $locale['not_loaded'] = 'Not loaded';
 $locale['loading_spinner'] = 'Please wait, installing...';
 $locale['importing_spinner'] = 'Please wait, importing data...';
 $locale['please_fill_all'] = 'Please fill all inputs!';
-$locale['already_installed'] = 'MyAAC has been already installed. Please delete <b>install/</b> directory. If you want to reinstall MyAAC - please delete <strong>config.local.php</strong> file from the main directory and refresh the page.';
+$locale['already_installed'] = 'MyAAC has been already installed. If you want to reinstall MyAAC - please delete <strong>config.local.php</strong> file from the main directory and refresh the page.';
 // welcome
 $locale['step_welcome'] = 'Welcome';
--- a/system/locale/pl/install.php
+++ b/system/locale/pl/install.php
@@ -20,7 +20,7 @@ $locale['not_loaded'] = 'Nie załadowane';
 $locale['loading_spinner'] = 'Proszę czekać, trwa instalacja...';
 $locale['importing_spinner'] = 'Proszę czekać, trwa importowanie danych...';
 $locale['please_fill_all'] = 'Proszę wypełnić wszystkie pola!';
-$locale['already_installed'] = 'MyAAC został już zainstalowany. Proszę usunąć katalog <b>install/</b>. Jeśli chcesz zainstalować MyAAC od nowa - proszę usuń plik <strong>config.local.php</strong> z katalogu głównego i odśwież stronę.';
+$locale['already_installed'] = 'MyAAC został już zainstalowany. Jeśli chcesz zainstalować MyAAC od nowa - proszę usuń plik <strong>config.local.php</strong> z katalogu głównego i odśwież stronę.';
 // welcome
 $locale['step_welcome'] = 'Witamy';
--- a/system/locale/pt_br/install.php
+++ b/system/locale/pt_br/install.php
@@ -20,7 +20,7 @@ $locale['not_loaded'] = 'Não carregado';
 $locale['loading_spinner'] = 'Por favor aguarde, instalando...';
 $locale['importing_spinner'] = 'Por favor, aguarde, importando dados...';
 $locale['please_fill_all'] = 'Por favor, preencha todas as entradas!';
-$locale['already_installed'] = 'MyAAC já foi instalado. Por favor, apague o diretório <b> install/ <b/>. Se você quiser reinstalar o MyAAC - exclua o arquivo <strong> config.local.php </strong> do diretório principal e atualize a página.';
+$locale['already_installed'] = 'MyAAC já foi instalado. Se você quiser reinstalar o MyAAC - exclua o arquivo <strong> config.local.php </strong> do diretório principal e atualize a página.';
 // welcome
 $locale['step_welcome'] = 'Bem vindo';
--- a/system/locale/sv/install.php
+++ b/system/locale/sv/install.php
@@ -18,7 +18,7 @@ $locale['loaded'] = 'Laddad';
 $locale['not_loaded'] = 'Inte Laddad';
 $locale['please_fill_all'] = 'Vänligen fyll i allt!';
-$locale['already_installed'] = 'MyAAC är redan installerat. Vänligen ta bort <b>install/<b/> mappen. Om du vill installera MyAAC igen - ta bort filen <strong>config.local.php</strong> från huvudkatalogen och uppdatera sidan.';
+$locale['already_installed'] = 'MyAAC är redan installerat. Om du vill installera MyAAC igen - ta bort filen <strong>config.local.php</strong> från huvudkatalogen och uppdatera sidan.';
 // welcome
 $locale['step_welcome'] = 'Välkommen';
--- a/system/migrations/20.php
+++ b/system/migrations/20.php
@@ -1,6 +1,5 @@
 <?php
 use MyAAC\Models\Player as PlayerModel;
 use MyAAC\Settings;
 function updateHighscoresIdsHidden(): void
@@ -11,22 +10,12 @@ function updateHighscoresIdsHidden(): void
 		return;
 	}
-	$players = PlayerModel::where('name', 'Rook Sample')
+	$query = $db->query("SELECT `id` FROM `players` WHERE (`name` = " . $db->quote("Rook Sample") . " OR `name` = " . $db->quote("Sorcerer Sample") . " OR `name` = " . $db->quote("Druid Sample") . " OR `name` = " . $db->quote("Paladin Sample") . " OR `name` = " . $db->quote("Knight Sample") . " OR `name` = " . $db->quote("Account Manager") . ") ORDER BY `id`;");
 		->orWhere('name', 'Sorcerer Sample')
 		->orWhere('name', 'Druid Sample')
 		->orWhere('name', 'Paladin Sample')
 		->orWhere('name', 'Knight Sample')
 		->orWhere('name', 'Monk Sample')
 		->orWhere('name', 'Account Manager')
 		->orderBy('id')
 		->select('id')
 		->get();
-	$highscores_ignored_ids = [];
+	$highscores_ignored_ids = array();
-	if (count($players) > 0) {
+	if ($query->rowCount() > 0) {
-		foreach ($players as $result) {
+		foreach ($query->fetchAll() as $result)
-			$highscores_ignored_ids[] = $result->id;
+			$highscores_ignored_ids[] = $result['id'];
 		}
 	} else {
 		$highscores_ignored_ids[] = 0;
 	}
--- a/system/migrations/47.php
+++ b/system/migrations/47.php
@@ -1,42 +0,0 @@
 <?php
 /**
 * @var OTS_DB_MySQL $db
 */
 // 2025-02-27
 // remove ipv6, change to ip (for both ipv4 + ipv6) as VARCHAR(45)
 $up = function () use ($db) {
 	$accountActionsInfo = $db->getColumnInfo(TABLE_PREFIX . 'account_actions', 'account_id');
 	if ($accountActionsInfo && is_array($accountActionsInfo) && $accountActionsInfo['key'] == 'pri') {
 		$db->query("ALTER TABLE `myaac_account_actions` DROP KEY `account_id`;");
 	}
 	if (!$db->hasColumn(TABLE_PREFIX . 'account_actions', 'id')) {
 		$db->addColumn(TABLE_PREFIX . 'account_actions', 'id', 'INT NOT NULL AUTO_INCREMENT FIRST, ADD PRIMARY KEY (`id`)');
 	}
 	$db->modifyColumn(TABLE_PREFIX . 'account_actions', 'ip', "VARCHAR(45) NOT NULL DEFAULT ''");
 	$db->query("UPDATE `" . TABLE_PREFIX . "account_actions` SET `ip` = INET_NTOA(`ip`) WHERE `ip` != '0';");
 	$db->query("UPDATE `" . TABLE_PREFIX . "account_actions` SET `ip` = INET6_NTOA(`ipv6`) WHERE `ip` = '0';");
 	if ($db->hasColumn(TABLE_PREFIX . 'account_actions', 'ipv6')) {
 		$db->dropColumn(TABLE_PREFIX . 'account_actions', 'ipv6');
 	}
 };
 $down = function () use ($db) {
 	if ($db->hasColumn(TABLE_PREFIX . 'account_actions', 'id')) {
 		$db->query("ALTER TABLE `" . TABLE_PREFIX . "account_actions` DROP `id`;");
 	}
 	$db->query("ALTER TABLE  `" . TABLE_PREFIX . "account_actions` ADD KEY (`account_id`);");
 	if (!$db->hasColumn(TABLE_PREFIX . 'account_actions', 'ipv6')) {
 		$db->addColumn(TABLE_PREFIX . 'account_actions', 'ipv6', "BINARY(16) NOT NULL DEFAULT 0x00000000000000000000000000000000 AFTER ip");
 	}
 	$db->query("UPDATE `" . TABLE_PREFIX . "account_actions` SET `ipv6` = INET6_ATON(ip) WHERE NOT IS_IPV4(`ip`);");
 	$db->query("UPDATE `" . TABLE_PREFIX . "account_actions` SET `ip` = INET_ATON(`ip`) WHERE IS_IPV4(`ip`);");
 	$db->query("UPDATE `" . TABLE_PREFIX . "account_actions` SET `ip` = 0 WHERE `ipv6` != 0x00000000000000000000000000000000;");
 	$db->modifyColumn(TABLE_PREFIX . 'account_actions', 'ip', "INT(11) UNSIGNED NOT NULL DEFAULT 0;");
 };
--- a/system/migrations/48.php
+++ b/system/migrations/48.php
@@ -1,16 +0,0 @@
 <?php
 /**
 * @var OTS_DB_MySQL $db
 */
 $up = function () use ($db) {
 	if (!$db->hasColumn(TABLE_PREFIX . 'menu', 'access')) {
 		$db->addColumn(TABLE_PREFIX . 'menu', 'access', 'TINYINT NOT NULL DEFAULT 0 AFTER `link`');
 	}
 };
 $down = function () use ($db) {
 	if ($db->hasColumn(TABLE_PREFIX . 'menu', 'access')) {
 		$db->dropColumn(TABLE_PREFIX . 'menu', 'access');
 	}
 };
--- a/system/migrations/49.php
+++ b/system/migrations/49.php
@@ -1,91 +0,0 @@
 <?php
 /**
 * @var OTS_DB_MySQL $db
 */
 use MyAAC\Models\Account as AccountModel;
 $time = time();
 $accountId = getSession('account') ?? 1;
 if (!defined('MYAAC_INSTALL')) {
 	$accountModel = AccountModel::where('web_flags', 3)->first();
 	if ($accountModel) {
 		$accountId = $accountModel->id;
 	}
 }
 function insert_sample_if_not_exist($p): void
 {
 	global $time, $accountId;
 	$player = new OTS_Player();
 	$player->find($p['name']);
 	if (!$player->isLoaded()) {
 		$player->setData([
 			'name' => $p['name'],
 			'group_id' => 1,
 			'account_id' => $accountId,
 			'level' => $p['level'],
 			'vocation' => $p['vocation_id'],
 			'health' => $p['health'],
 			'healthmax' => $p['healthmax'],
 			'experience' => $p['experience'],
 			'lookbody' => 118,
 			'lookfeet' => 114,
 			'lookhead' => 38,
 			'looklegs' => 57,
 			'looktype' => $p['looktype'],
 			'maglevel' => 0,
 			'mana' => $p['mana'],
 			'manamax' => $p['manamax'],
 			'manaspent' => 0,
 			'soul' => $p['soul'],
 			'town_id' => 1,
 			'posx' => 1000,
 			'posy' => 1000,
 			'posz' => 7,
 			'conditions' => '',
 			'cap' => $p['cap'],
 			'sex' => 1,
 			'lastlogin' => $time,
 			'lastip' => 2130706433,
 			'save' => 1,
 			'lastlogout' => $time,
 			'balance' => 0,
 			'created' => $time,
 			'hide' => 1,
 			'comment' => '',
 		]);
 		$player->save();
 	}
 }
 $up = function () use ($db) {
 	if (!$db->hasTable('players')) {
 		return;
 	}
 	insert_sample_if_not_exist(['name' => 'Rook Sample', 'level' => 1, 'vocation_id' => 0, 'health' => 150, 'healthmax' => 150, 'experience' => 0, 'looktype' => 130, 'mana' => 0, 'manamax' => 0, 'soul' => 100, 'cap' => 400]);
 	insert_sample_if_not_exist(['name' => 'Sorcerer Sample', 'level' => 8, 'vocation_id' => 1, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 130, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470]);
 	insert_sample_if_not_exist(['name' => 'Druid Sample', 'level' => 8, 'vocation_id' => 2, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 130, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470]);
 	insert_sample_if_not_exist(['name' => 'Paladin Sample', 'level' => 8, 'vocation_id' => 3, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 129, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470]);
 	insert_sample_if_not_exist(['name' => 'Knight Sample', 'level' => 8, 'vocation_id' => 4, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 131, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470]);
 	insert_sample_if_not_exist(['name' => 'Monk Sample', 'level' => 8, 'vocation_id' => 9, 'health' => 185, 'healthmax' => 185, 'experience' => 4200, 'looktype' => 128, 'mana' => 90, 'manamax' => 90, 'soul' => 100, 'cap' => 470]);
 	if (defined('MYAAC_INSTALL')) {
 		global $locale;
 		success($locale['step_database_imported_players']);
 	}
 	require_once __DIR__ . '/20.php';
 	updateHighscoresIdsHidden();
 };
 $down = function () {
 	// nothing
 };
--- a/system/migrations/50-gallery.sql
+++ b/system/migrations/50-gallery.sql
@@ -1,11 +0,0 @@
 CREATE TABLE IF NOT EXISTS `myaac_gallery`
 (
 	`id` int NOT NULL AUTO_INCREMENT,
 	`comment` varchar(255) NOT NULL DEFAULT '',
 	`image` varchar(255) NOT NULL,
 	`thumb` varchar(255) NOT NULL,
 	`author` varchar(50) NOT NULL DEFAULT '',
 	`ordering` int NOT NULL DEFAULT 0,
 	`hide` tinyint NOT NULL DEFAULT 0,
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;
--- a/system/migrations/50.php
+++ b/system/migrations/50.php
@@ -1,16 +0,0 @@
 <?php
 /**
 * @var OTS_DB_MySQL $db
 */
 $up = function () use ($db) {
 	if ($db->hasTable(TABLE_PREFIX . 'gallery')) {
 		$db->dropTable(TABLE_PREFIX . 'gallery');
 	}
 };
 $down = function () use ($db) {
 	if (!$db->hasTable(TABLE_PREFIX . 'gallery')) {
 		$db->query(file_get_contents(__DIR__ . '/50-gallery.sql'));
 	}
 };
--- a/system/migrations/51-account_email_codes.sql
+++ b/system/migrations/51-account_email_codes.sql
@@ -1,8 +0,0 @@
 CREATE TABLE `myaac_account_email_codes`
 (
 	`id` int(11) NOT NULL AUTO_INCREMENT,
 	`account_id` int NOT NULL,
 	`code` varchar(6) NOT NULL,
 	`created_at` int NOT NULL,
 	PRIMARY KEY (`id`)
 ) ENGINE=InnoDB DEFAULT CHARACTER SET=utf8mb4;
--- a/system/migrations/51.php
+++ b/system/migrations/51.php
@@ -1,36 +0,0 @@
 <?php
 // 2fa
 // add the myaac_account_email_codes
 /**
 * @var OTS_DB_MySQL $db
 */
 $up = function () use ($db) {
 	if (!$db->hasColumn('accounts', '2fa_type')) {
 		$db->addColumn('accounts', '2fa_type', "tinyint NOT NULL DEFAULT 0 AFTER `web_flags`");
 	}
 	if (!$db->hasColumn('accounts', '2fa_secret')) {
 		$db->addColumn('accounts', '2fa_secret', "varchar(16) NOT NULL DEFAULT '' AFTER `2fa_type`");
 	}
 	// add myaac_account_email_codes table
 	if (!$db->hasTable(TABLE_PREFIX . 'account_email_codes')) {
 		$db->exec(file_get_contents(__DIR__ . '/51-account_email_codes.sql'));
 	}
 };
 $down = function () use ($db) {
 	if ($db->hasColumn('accounts', '2fa_type')) {
 		$db->dropColumn('accounts', '2fa_type');
 	}
 	if ($db->hasColumn('accounts', '2fa_secret')) {
 		$db->dropColumn('accounts', '2fa_secret');
 	}
 	if ($db->hasTable(TABLE_PREFIX . 'account_email_codes')) {
 		$db->dropTable(TABLE_PREFIX . 'account_email_codes');
 	}
 };
--- a/system/pages/#examples/top-5.php
+++ b/system/pages/#examples/top-5.php
@@ -1,29 +0,0 @@
 <?php
 /**
 * Example of using getTopPlayers() function
 * to display the best players for each skill
 */
 defined('MYAAC') or die('Direct access not allowed!');
 $skills = [
 	'magic', 'level',
 	'balance', 'frags',
 	POT::SKILL_FIST, POT::SKILL_CLUB,
 	POT::SKILL_SWORD, POT::SKILL_AXE,
 	POT::SKILL_DISTANCE, POT::SKILL_SHIELD,
 	POT::SKILL_FISH
 ];
 foreach ($skills as $skill) {?>
 <ul>
 <?php
 	echo '<strong>' . ucwords(is_string($skill) ? $skill : getSkillName($skill)) . '</strong>';
 	foreach (getTopPlayers(5, $skill) as $player) {?>
 		<li><?= $player['rank'] . '. ' . $player['name'] . ' - ' . $player['value']; ?></li>
 		<?php
 	}
 	?>
 </ul>
 <?php
 }
--- a/system/pages/account/2fa/app/disable.php
+++ b/system/pages/account/2fa/app/disable.php
@@ -1,26 +0,0 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 require __DIR__ . '/../base.php';
 if (!isRequestMethod('post')) {
 	error('This page cannot be accessed directly.');
 	return;
 }
 if (!$account_logged->isLoaded()) {
 	error('Account not found!');
 	return;
 }
 if (!$twoFactorAuth->isActive($twoFactorAuth::TYPE_APP)) {
 	error("Your account does not have Two Factor App Authentication enabled.");
 	return;
 }
 $twoFactorAuth->disable();
 $twig->display('success.html.twig', [
 	'title' => 'Disabled',
 	'description' => 'Two Factor App Authentication has been disabled.'
 ]);
--- a/system/pages/account/2fa/app/enable.php
+++ b/system/pages/account/2fa/app/enable.php
@@ -1,105 +0,0 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 use MyAAC\TwoFactorAuth\TwoFactorAuth;
 require __DIR__ . '/../base.php';
 if ($twoFactorAuth->isActive()) {
 	$errors[] = 'Two-factor authentication is already enabled on your account.';
 	$twig->display('error_box.html.twig', ['errors' => $errors]);
 	return;
 }
 $explodeRecoveryKey = explode('-', $account_logged->getCustomField('key'));
 $newRecoveryKeyFormat = (count($explodeRecoveryKey) == 4);
 if (ACTION == 'request') {
 	if ($newRecoveryKeyFormat) {
 		$key = $_POST['key1'] . '-' . $_POST['key2'] . '-' . $_POST['key3'] . '-' . $_POST['key4'];
 	}
 	else {
 		$key = $_POST['key'];
 	}
 	$accountKey = $account_logged->getCustomField('key');
 	if (!empty($key) && $key == $accountKey) {
 		$secret = getSession('2fa_secret');
 		if ($secret === null) {
 			$secret = generateRandom2faSecret();
 			setSession('2fa_secret', $secret);
 		}
 		$twoFactorAuth->appDisplayEnable($secret);
 		return;
 	}
 	else {
 		if (empty($key)) {
 			$errors[] = 'Please enter the recovery key!';
 		}
 		else {
 			$errors[] = 'Invalid recovery key!';
 		}
 	}
 }
 if (ACTION == 'link') {
 	$secret = getSession('2fa_secret');
 	if ($secret === null) {
 		$twig->display('error_box.html.twig', ['errors' => ['Secret not set. Go back and try again.']]);
 		return;
 	}
 	$authCode = $_POST['auth-code'] ?? '';
 	if (!empty($authCode)) {
 		$otp = $twoFactorAuth->appInitTOTP($secret);
 		if (!$otp->verify($authCode)) {
 			$errors = ['Token is invalid!'];
 			$twig->display('error_box.html.twig', ['errors' => $errors]);
 			$twoFactorAuth->appDisplayEnable($secret, $otp, $errors);
 			return;
 		}
 		if ($db->hasColumn('accounts', 'secret')) {
 			$account_logged->setCustomField('secret', $secret);
 		}
 		$account_logged->setCustomField('2fa_secret', $secret);
 		$twoFactorAuth->enable(TwoFactorAuth::TYPE_APP);
 		$twig->display('success.html.twig',
 			[
 				'title' => 'Authenticator App Connected',
 				'description' => 'You successfully connected your Tibia account to an authenticator app.'
 			]
 		);
 		return;
 	}
 	else {
 		$errors = ['You have to enter the code generated by the authenticator!'];
 		$twig->display('error_box.html.twig', ['errors' => $errors]);
 		$twoFactorAuth->appDisplayEnable($secret, null, $errors);
 		return;
 	}
 }
 if (!empty($errors)) {
 	$twig->display('error_box.html.twig', ['errors' => $errors]);
 }
 $twig->display('account/2fa/app/enable.warning.html.twig',
 	[
 		'newRecoveryKeyFormat' => $newRecoveryKeyFormat,
 		'errors' => $errors,
 	]
 );
--- a/system/pages/account/2fa/base.php
+++ b/system/pages/account/2fa/base.php
@@ -1,41 +0,0 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 use MyAAC\TwoFactorAuth\TwoFactorAuth;
 csrfProtect();
 $title = 'Two Factor Authentication';
 /**
 * @var OTS_Account $account_logged
 */
 $code = $_REQUEST['auth-code'] ?? '';
 if (!$account_logged->isLoaded()) {
 	$current_session = getSession('account');
 	if($current_session) {
 		$account_logged = new OTS_Account();
 		$account_logged->load($current_session);
 	}
 }
 $twoFactorAuth = TwoFactorAuth::getInstance($account_logged);
 $twig->addGlobal('account_logged', $account_logged);
 /**
 * Took from ZnoteAAC
 * @author Znote
 */
 function generateRandom2faSecret($length = 16): string
 {
 	$characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
 	$charactersLength = strlen($characters);
 	$randomString = '';
 	for ($i = 0; $i < $length; $i++) {
 		$randomString .= $characters[rand(0, $charactersLength - 1)];
 	}
 	return $randomString;
 }
--- a/system/pages/account/2fa/email/disable.php
+++ b/system/pages/account/2fa/email/disable.php
@@ -1,34 +0,0 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 require __DIR__ . '/../base.php';
 if ((!setting('core.mail_enabled'))) {
 	$twig->display('error_box.html.twig',  ['errors' => ['Account Two-Factor E-Mail Authentication disabled.']]);
 	return;
 }
 if (!isRequestMethod('post')) {
 	error('This page cannot be accessed directly.');
 	return;
 }
 if (!$account_logged->isLoaded()) {
 	error('Account not found!');
 	return;
 }
 if (!$twoFactorAuth->isActive($twoFactorAuth::TYPE_EMAIL)) {
 	error("Your account does not have Two Factor E-Mail Authentication enabled.");
 	return;
 }
 $twoFactorAuth->disable();
 $twoFactorAuth->deleteOldCodes();
 $twig->display('success.html.twig',
 	[
 		'title' => 'Email Code Authentication Disabled',
 		'description' => 'You have successfully <strong>disabled</strong> the <b>Email Code Authentication</b> for your account.'
 	]
 );
--- a/system/pages/account/2fa/email/enable.php
+++ b/system/pages/account/2fa/email/enable.php
@@ -1,51 +0,0 @@
 <?php
 use MyAAC\TwoFactorAuth\TwoFactorAuth;
 defined('MYAAC') or die('Direct access not allowed!');
 require __DIR__ . '/../base.php';
 if ((!setting('core.mail_enabled'))) {
 	$twig->display('error_box.html.twig',  ['errors' => ['Account Two-Factor E-Mail Authentication disabled.']]);
 	return;
 }
 if ($twoFactorAuth->isActive()) {
 	$errors[] = 'Two-factor authentication is already enabled on your account.';
 	$twig->display('error_box.html.twig', ['errors' => $errors]);
 	return;
 }
 if (!$twoFactorAuth->hasRecentEmailCode(15 * 60)) {
 	$twoFactorAuth->resendEmailCode();
 }
 if (isset($_POST['save'])) {
 	if (!empty($code)) {
 		$twoFactorAuth->setAuthGateway(TwoFactorAuth::TYPE_EMAIL);
 		if ($twoFactorAuth->getAuthGateway()->verifyCode($code)) {
 			$serverName = configLua('serverName');
 			$twoFactorAuth->enable(TwoFactorAuth::TYPE_EMAIL);
 			$twoFactorAuth->deleteOldCodes();
 			$twig->display('success.html.twig', [
 				'title' => 'Email Code Authentication Activated',
 				'description' => sprintf('You have successfully activated <b>email code authentication</b> for your account. This means an <b>email code</b> will be sent to the email address assigned to your account whenever you try to log in to the %s client or the %s website. In order to log in, you will need to enter the <b>most recent email code</b> you have received.', $serverName, $serverName)
 			]);
 			return;
 		}
 		else {
 			$errors[] = 'Invalid email code!';
 		}
 	}
 }
 if (!empty($errors)) {
 	$twig->display('error_box.html.twig', ['errors' => $errors]);
 }
 $twig->display('account/2fa/email/enable.html.twig', ['wrongCode' => count($errors) > 0]);
--- a/system/pages/account/2fa/email/resend-code.php
+++ b/system/pages/account/2fa/email/resend-code.php
@@ -1,32 +0,0 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 require __DIR__ . '/../base.php';
 if ((!setting('core.mail_enabled'))) {
 	$twig->display('error_box.html.twig',  ['errors' => ['Account Two-Factor E-Mail Authentication disabled.']]);
 	return;
 }
 if (!$account_logged->isLoaded()) {
 	error('Account not found!');
 	return;
 }
 if ($twoFactorAuth->isActive($twoFactorAuth::TYPE_APP)) {
 	error('You have to disable the app auth first!');
 	return;
 }
 if ($twoFactorAuth->hasRecentEmailCode(30 * 60)) {
 	$errors = ['Sorry, one email per 30 minutes'];
 }
 else {
 	$twoFactorAuth->resendEmailCode();
 }
 if (!empty($errors)) {
 	$twig->display('error_box.html.twig',  ['errors' => $errors]);
 }
 $twig->display('account/2fa/email/enable.html.twig');
--- a/system/pages/account/base.php
+++ b/system/pages/account/base.php
@@ -17,10 +17,6 @@ if(!$logged)
 	if(!empty($errors))
 		$twig->display('error_box.html.twig', array('errors' => $errors));
 	if (defined('HIDE_LOGIN_BOX') && HIDE_LOGIN_BOX) {
 		return;
 	}
 	$twig->display('account.login.html.twig', array(
 		'redirect' => $_REQUEST['redirect'] ?? null,
 		'account' => USE_ACCOUNT_NAME ? 'Name' : 'Number',
@@ -34,11 +30,3 @@ if(!$logged)
 else {
 	$show_form = true;
 }
 function generateRecoveryKey(): string
 {
 	return generateRandomString(5, false, true, true) . '-' .
 		generateRandomString(5, false, true, true) . '-' .
 		generateRandomString(5, false, true, true) . '-' .
 		generateRandomString(5, false, true, true);
 }
--- a/system/pages/account/create.php
+++ b/system/pages/account/create.php
@@ -10,7 +10,6 @@
 */
 use MyAAC\CreateCharacter;
 use MyAAC\Models\AccountAction;
 use MyAAC\Models\AccountEmailVerify;
 defined('MYAAC') or die('Direct access not allowed!');
@@ -45,16 +44,6 @@ $errors = array();
 $save = isset($_POST['save']) && $_POST['save'] == 1;
 if($save)
 {
 	$cooldown = setting('core.account_create_ip_block_cooldown');;
 	if ($cooldown > 0) {
 		$accountAction = AccountAction::where('ip', get_browser_real_ip())->where('action', 'Account created.')->where('date', '>=', time() - ($cooldown * 60))->first();
 		if ($accountAction) {
 			$minute = ($cooldown > 1 ? 'minutes' : 'minute');
 			$errors['account'] = "You have to wait $cooldown $minute before creating another account.";
 		}
 	}
 	if(!config('account_login_by_email')) {
 		if(USE_ACCOUNT_NAME) {
 			$account_name = $_POST['account'];
@@ -151,7 +140,7 @@ if($save)
 		'country' => $country,
 		'password' => $password,
 		'password_confirm' => $password_confirm,
-		'accept_rules' => isset($_POST['accept_rules']) && $_POST['accept_rules'] === 'true',
+		'accept_rules' => isset($_POST['accept_rules']) ? $_POST['accept_rules'] === 'true' : false,
 	);
 	if (!config('account_login_by_email')) {
@@ -171,7 +160,7 @@ if($save)
 	}
 	if(setting('core.account_create_character_create')) {
-		$character_name = isset($_POST['name']) ? stripslashes(ucwords(strtolower($_POST['name']))) : null;
+		$character_name = isset($_POST['name']) ? trim(stripslashes($_POST['name'])) : null;
 		$character_sex = isset($_POST['sex']) ? (int)$_POST['sex'] : null;
 		$character_vocation = isset($_POST['vocation']) ? (int)$_POST['vocation'] : null;
 		$character_town = isset($_POST['town']) ? (int)$_POST['town'] : null;
@@ -203,21 +192,6 @@ if($save)
 		$new_account->setPassword(encrypt($password));
 		$new_account->setEMail($email);
 		$settingAccountPremiumDays = setting('core.account_premium_days');
 		if($settingAccountPremiumDays && $settingAccountPremiumDays > 0) {
 			$new_account->setPremDays($settingAccountPremiumDays);
 			if (!isCanary()) {
 				$lastDay = 0;
 				if($settingAccountPremiumDays != 0 && $settingAccountPremiumDays != OTS_Account::GRATIS_PREMIUM_DAYS) {
 					$lastDay = time();
 				}
 				$new_account->setLastLogin($lastDay);
 			}
 		}
 		$new_account->save();
 		$hooks->trigger(HOOK_ACCOUNT_CREATE_AFTER_SAVED, ['account' => $new_account]);
@@ -232,6 +206,22 @@ if($save)
 			$new_account->setCustomField('country', $country);
 		}
 		$settingAccountPremiumDays = setting('core.account_premium_days');
 		if($settingAccountPremiumDays && $settingAccountPremiumDays > 0) {
 			if($db->hasColumn('accounts', 'premend')) { // othire
 				$new_account->setCustomField('premend', time() + $settingAccountPremiumDays * 86400);
 			}
 			else { // rest
 				if ($db->hasColumn('accounts', 'premium_ends_at')) { // TFS 1.4+
 					$new_account->setCustomField('premium_ends_at', time() + $settingAccountPremiumDays * (60 * 60 * 24));
 				}
 				else {
 					$new_account->setCustomField('premdays', $settingAccountPremiumDays);
 					$new_account->setCustomField('lastday', time());
 				}
 			}
 		}
 		$accountDefaultPremiumPoints = setting('core.account_premium_points');
 		if($accountDefaultPremiumPoints > 0) {
 			$new_account->setCustomField('premium_points', $accountDefaultPremiumPoints);
--- a/system/pages/account/login.php
+++ b/system/pages/account/login.php
@@ -10,7 +10,6 @@
 */
 use MyAAC\RateLimit;
 use MyAAC\TwoFactorAuth\TwoFactorAuth;
 defined('MYAAC') or die('Direct access not allowed!');
@@ -53,18 +52,8 @@ if(!empty($login_account) && !empty($login_password))
 			$errors[] = 'Your account is not verified. Please verify your email address. If the message is not coming check the SPAM folder in your E-Mail client.<br/>' .
 				'You can resend the Email here: <a href="' . $link . '">' . $link . '</a>';
 		} else {
 			setSession('account', $account_logged->getId());
 			if (!$hooks->trigger(HOOK_ACCOUNT_LOGIN_PRE)) {
 				return;
 			}
 			$twoFactorAuth = TwoFactorAuth::getInstance($account_logged);
 			if (!$twoFactorAuth->process($login_account, $login_password, $remember_me, $_POST['auth-code'] ?? '')) {
 				return;
 			}
 			session_regenerate_id();
 			setSession('account', $account_logged->getId());
 			setSession('password', encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $login_password));
 			if($remember_me) {
 				setSession('remember_me', true);
--- a/system/pages/account/lost.php
+++ b/system/pages/account/lost.php
@@ -9,11 +9,540 @@
 * @link      https://my-aac.org
 */
 defined('MYAAC') or die('Direct access not allowed!');
-$title = 'Lost Account';
+$title = 'Lost Account Interface';
-if(!setting('core.mail_enabled')) {
+if(!setting('core.mail_enabled'))
-	echo "<b>Account maker is not configured to send e-mails, you can't use Lost Account Interface. Contact with admin to get help.</b>";
+{
 	echo '<b>Account maker is not configured to send e-mails, you can\'t use Lost Account Interface. Contact with admin to get help.</b>';
 	return;
 }
-$twig->display('account/lost/form.html.twig');
+$action_type = isset($_REQUEST['action_type']) ? $_REQUEST['action_type'] : '';
 if($action == '')
 {
 	$twig->display('account.lost.form.html.twig');
 }
 else if($action == 'step1' && $action_type == '') {
 	$twig->display('account.lost.noaction.html.twig');
 }
 elseif($action == 'step1' && $action_type == 'email')
 {
 	$nick = stripslashes($_REQUEST['nick']);
 	if(Validator::characterName($nick))
 	{
 		$player = new OTS_Player();
 		$account = new OTS_Account();
 		$player->find($nick);
 		if($player->isLoaded())
 			$account = $player->getAccount();
 		if($account->isLoaded())
 		{
 			if($account->getCustomField('email_next') < time())
 				echo 'Please enter e-mail to account with this character.<BR>
 				<form action="' . getLink('account/lost') . '?action=sendcode" method=post>
 				<input type=hidden name="character">
 				<table cellspacing=1 cellpadding=4 border=0 width=100%>
 				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Please enter e-mail to account</B></TD></TR>
 				<TR><TD BGCOLOR="'.$config['darkborder'].'">
 				Character: <INPUT TYPE=text NAME="nick" VALUE="'.$nick.'" SIZE="40" readonly="readonly"><BR>
 				E-mail to account:<INPUT TYPE=text NAME="email" VALUE="" SIZE="40"><BR>
 				</TD></TR>
 				</TABLE>
 				<BR>
 				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 				' . $twig->render('buttons.submit.html.twig') . '</div>
 				</TD></TR></FORM></TABLE></TABLE>';
 			else
 			{
 				$insec = (int)$account->getCustomField('email_next') - time();
 				$minutesleft = floor($insec / 60);
 				$secondsleft = $insec - ($minutesleft * 60);
 				$timeleft = $minutesleft.' minutes '.$secondsleft.' seconds';
 				echo 'Account of selected character (<b>'.$nick.'</b>) received e-mail in last '.ceil(setting('core.mail_lost_account_interval') / 60).' minutes. You must wait '.$timeleft.' before you can use Lost Account Interface again.';
 			}
 		}
 		else
 			echo 'Player or account of player <b>' . $nick . '</b> doesn\'t exist.';
 	}
 	else
 		echo 'Invalid player name format. If you have other characters on account try with other name.';
 	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 				<a href="' . getLink('account/lost') . '" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
 				</TD></TR></FORM></TABLE></TABLE>';
 }
 elseif($action == 'sendcode')
 {
 	$email = $_REQUEST['email'];
 	$nick = stripslashes($_REQUEST['nick']);
 	if(Validator::characterName($nick))
 	{
 		$player = new OTS_Player();
 		$account = new OTS_Account();
 		$player->find($nick);
 		if($player->isLoaded())
 			$account = $player->getAccount();
 		if($account->isLoaded())
 		{
 			if($account->getCustomField('email_next') < time())
 			{
 				if($account->getEMail() == $email)
 				{
 					$newcode = generateRandomString(30, true, false, true);
 					$mailBody = '
 					You asked to reset your ' . $config['lua']['serverName'] . ' password.<br/>
 					<p>Account name: '.$account->getName().'</p>
 					<br />
 					To do so, please click this link:
 					<p><a href="' . getLink('account/lost') . '?action=checkcode&code='.$newcode.'&character='.urlencode($nick).'">' . getLink('account/lost') . '?action=checkcode&code='.$newcode.'&character='.urlencode($nick).'</a></p>
 					<p>or open page: <i>' . getLink('account/lost') . '?action=checkcode</i> and in field "code" write <b>'.$newcode.'</b></p>
 					<br/>
 						<p>If you did not request a password change, you may ignore this message and your password will remain unchanged.';
 					$account_mail = $account->getCustomField('email');
 					if(_mail($account_mail, $config['lua']['serverName'].' - Recover your account', $mailBody))
 					{
 						$account->setCustomField('email_code', $newcode);
 						$account->setCustomField('email_next', (time() + setting('core.mail_lost_account_interval')));
 						echo '<br />Details about steps required to recover your account has been sent to <b>' . $account_mail . '</b>. You should receive this email within 15 minutes. Please check your inbox/spam directory.';
 					}
 					else
 					{
 						$account->setCustomField('email_next', (time() + 60));
 						echo '<br /><p class="error">An error occurred while sending email! Try again later or contact with admin. For Admin: More info can be found in system/logs/mailer-error.log</p>';
 					}
 				}
 				else
 					echo 'Invalid e-mail to account of character <b>'.$nick.'</b>. Try again.';
 			}
 			else
 			{
 				$insec = (int)$account->getCustomField('email_next') - time();
 				$minutesleft = floor($insec / 60);
 				$secondsleft = $insec - ($minutesleft * 60);
 				$timeleft = $minutesleft.' minutes '.$secondsleft.' seconds';
 				echo 'Account of selected character (<b>'.$nick.'</b>) received e-mail in last '.ceil(setting('core.mail_lost_account_interval') / 60).' minutes. You must wait '.$timeleft.' before you can use Lost Account Interface again.';
 			}
 		}
 		else
 			echo 'Player or account of player <b>'.$nick.'</b> doesn\'t exist.';
 	}
 	else
 		echo 'Invalid player name format. If you have other characters on account try with other name.';
 	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 				<a href="' . getLink('account/lost') . '?action=step1&action_type=email&nick='.urlencode($nick).'" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
 				</TD></TR></FORM></TABLE></TABLE>';
 }
 elseif($action == 'step1' && $action_type == 'reckey')
 {
 	$nick = stripslashes($_REQUEST['nick']);
 	if(Validator::characterName($nick))
 	{
 		$player = new OTS_Player();
 		$account = new OTS_Account();
 		$player->find($nick);
 		if($player->isLoaded())
 			$account = $player->getAccount();
 		if($account->isLoaded())
 		{
 			$account_key = $account->getCustomField('key');
 			if(!empty($account_key))
 			{
 						echo 'If you enter right recovery key you will see form to set new e-mail and password to account. To this e-mail will be send your new password and account name.<BR>
 						<FORM ACTION="' . getLink('account/lost') . '?action=step2" METHOD=post>
 						<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
 						<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Please enter your recovery key</B></TD></TR>
 						<TR><TD BGCOLOR="'.$config['darkborder'].'">
 						Character name:&nbsp;<INPUT TYPE=text NAME="nick" VALUE="'.$nick.'" SIZE="40" readonly="readonly"><BR />
 						Recovery key:&nbsp;&nbsp;&nbsp;&nbsp;<INPUT TYPE=text NAME="key" VALUE="" SIZE="40"><BR>
 						</TD></TR>
 						</TABLE>
 						<BR>
 						<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 						' . $twig->render('buttons.submit.html.twig') . '</div>
 						</TD></TR></FORM></TABLE></TABLE>';
 			}
 			else
 				echo 'Account of this character has no recovery key!';
 		}
 		else
 			echo 'Player or account of player <b>'.$nick.'</b> doesn\'t exist.';
 	}
 	else
 		echo 'Invalid player name format. If you have other characters on account try with other name.';
 	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 				<a href="' . getLink('account/lost') . '" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
 				</TD></TR></FORM></TABLE></TABLE>';
 }
 elseif($action == 'step2')
 {
 	$rec_key = trim($_REQUEST['key']);
 	$nick = stripslashes($_REQUEST['nick']);
 	if(Validator::characterName($nick))
 	{
 		$player = new OTS_Player();
 		$account = new OTS_Account();
 		$player->find($nick);
 		if($player->isLoaded())
 			$account = $player->getAccount();
 		if($account->isLoaded())
 		{
 			$account_key = $account->getCustomField('key');
 			if(!empty($account_key))
 			{
 				if($account_key == $rec_key)
 				{
 					echo '<script type="text/javascript">
 					function validate_required(field,alerttxt)
 					{
 					with (field)
 					{
 					if (value==null||value==""||value==" ")
 					  {alert(alerttxt);return false;}
 					else {return true}
 					}
 					}
 					function validate_email(field,alerttxt)
 					{
 					with (field)
 					{
 					apos=value.indexOf("@");
 					dotpos=value.lastIndexOf(".");
 					if (apos<1||dotpos-apos<2)
 					  {alert(alerttxt);return false;}
 					else {return true;}
 					}
 					}
 					function validate_form(thisform)
 					{
 					with (thisform)
 					{
 					if (validate_required(email,"Please enter your e-mail!")==false)
 					  {email.focus();return false;}
 					if (validate_email(email,"Invalid e-mail format!")==false)
 					  {email.focus();return false;}
 					if (validate_required(passor,"Please enter password!")==false)
 					  {passor.focus();return false;}
 					if (validate_required(passor2,"Please repeat password!")==false)
 					  {passor2.focus();return false;}
 					if (passor2.value!=passor.value)
 					  {alert(\'Repeated password is not equal to password!\');return false;}
 					}
 					}
 					</script>';
 					echo 'Set new password and e-mail to your account.<BR>
 					<FORM ACTION="' . getLink('account/lost') . '?action=step3" onsubmit="return validate_form(this)" METHOD=post>
 					<INPUT TYPE=hidden NAME="character" VALUE="">
 					<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
 					<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Please enter new password and e-mail</B></TD></TR>
 					<TR><TD BGCOLOR="'.$config['darkborder'].'">
 					Account of character:&nbsp;&nbsp;<INPUT TYPE=text NAME="nick" VALUE="'.$nick.'" SIZE="40" readonly="readonly"><BR />
 					New password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<INPUT id="passor" TYPE=password NAME="passor" VALUE="" SIZE="40"><BR>
 					Repeat new password:&nbsp;&nbsp;<INPUT id="passor2" TYPE=password NAME="passor" VALUE="" SIZE="40"><BR>
 					New e-mail address:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<INPUT id="email" TYPE=text NAME="email" VALUE="" SIZE="40"><BR>
 					<INPUT TYPE=hidden NAME="key" VALUE="'.$rec_key.'">
 					</TD></TR>
 					</TABLE>
 					<BR>
 					<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 					' . $twig->render('buttons.submit.html.twig') . '</div>
 					</TD></TR></FORM></TABLE></TABLE>';
 				}
 				else
 					echo 'Wrong recovery key!';
 			}
 			else
 				echo 'Account of this character has no recovery key!';
 		}
 		else
 			echo 'Player or account of player <b>'.$nick.'</b> doesn\'t exist.';
 	}
 	else
 		echo 'Invalid player name format. If you have other characters on account try with other name.';
 	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 				<a href="' . getLink('account/lost') . '?action=step1&action_type=reckey&nick='.urlencode($nick).'" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
 				</TD></TR></FORM></TABLE></TABLE>';
 }
 elseif($action == 'step3')
 {
 	$rec_key = trim($_REQUEST['key']);
 	$nick = stripslashes($_REQUEST['nick']);
 	$new_pass = trim($_REQUEST['passor']);
 	$new_email = trim($_REQUEST['email']);
 	if(Validator::characterName($nick))
 	{
 		$player = new OTS_Player();
 		$account = new OTS_Account();
 		$player->find($nick);
 		if($player->isLoaded())
 			$account = $player->getAccount();
 		if($account->isLoaded())
 		{
 			$account_key = $account->getCustomField('key');
 			if(!empty($account_key))
 			{
 				if($account_key == $rec_key)
 				{
 					if(Validator::password($new_pass))
 					{
 						if(Validator::email($new_email))
 						{
 							$account->setEMail($new_email);
 							$tmp_new_pass = $new_pass;
 							if(USE_ACCOUNT_SALT)
 							{
 								$salt = generateRandomString(10, false, true, true);
 								$tmp_new_pass = $salt . $new_pass;
 							}
 							$account->setPassword(encrypt($tmp_new_pass));
 							$account->save();
 							if(USE_ACCOUNT_SALT)
 								$account->setCustomField('salt', $salt);
 							echo 'Your account name, new password and new e-mail.<BR>
 							<FORM ACTION="' . getLink('account/manage') . '" onsubmit="return validate_form(this)" METHOD=post>
 							<INPUT TYPE=hidden NAME="character" VALUE="">
 							<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
 							<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Your account name, new password and new e-mail</B></TD></TR>
 							<TR><TD BGCOLOR="'.$config['darkborder'].'">
 							Account name:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<b>'.$account->getName().'</b><BR>
 							New password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<b>'.$new_pass.'</b><BR>
 							New e-mail address:&nbsp;<b>'.$new_email.'</b><BR>';
 							if($account->getCustomField('email_next') < time())
 							{
 								$mailBody = '
 								<h3>Your account name and new password!</h3>
 								<p>Changed password and e-mail to your account in Lost Account Interface on server <a href="'.BASE_URL.'"><b>'.$config['lua']['serverName'].'</b></a></p>
 								<p>Account name: <b>'.$account->getName().'</b></p>
 								<p>New password: <b>'.$new_pass.'</b></p>
 								<p>E-mail: <b>'.$new_email.'</b> (this e-mail)</p>
 								<br />
 								<p><u>It\'s automatic e-mail from OTS Lost Account System. Do not reply!</u></p>';
 								if(_mail($account->getCustomField('email'), $config['lua']['serverName']." - New password to your account", $mailBody))
 								{
 									echo '<br /><small>Sent e-mail with your account name and password to new e-mail. You should receive this e-mail in 15 minutes. You can login now with new password!</small>';
 								}
 								else
 								{
 									echo '<br /><p class="error">An error occurred while sending email! You will not receive e-mail with this informations. For Admin: More info can be found in system/logs/mailer-error.log</p>';
 								}
 							}
 							else
 							{
 								echo '<br /><small>You will not receive e-mail with this informations.</small>';
 							}
 							echo '<INPUT TYPE=hidden NAME="account_login" VALUE="'.$account->getId().'">
 							<INPUT TYPE=hidden NAME="password_login" VALUE="'.$new_pass.'">
 							</TD></TR></TABLE><BR>
 							<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 							<INPUT TYPE=image NAME="Login" ALT="Login" SRC="'.$template_path.'/images/global/buttons/sbutton_login.gif" BORDER=0 WIDTH=120 HEIGHT=18></div>
 							</TD></TR></FORM></TABLE></TABLE>';
 						}
 						else
 							echo Validator::getLastError();
 					}
 					else
 						echo Validator::getLastError();
 				}
 				else
 					echo 'Wrong recovery key!';
 			}
 			else
 				echo 'Account of this character has no recovery key!';
 		}
 		else
 			echo 'Player or account of player <b>'.$nick.'</b> doesn\'t exist.';
 	}
 	else
 		echo 'Invalid player name format. If you have other characters on account try with other name.';
 	echo '<BR /><TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 				<a href="' . getLink('account/lost') . '?action=step1&action_type=reckey&nick='.urlencode($nick).'" border="0"><IMG SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" NAME="Back" ALT="Back" BORDER=0 WIDTH=120 HEIGHT=18></a></div>
 				</TD></TR></FORM></TABLE></TABLE>';
 }
 elseif($action == 'checkcode')
 {
 	$code = trim($_REQUEST['code']);
 	$character = stripslashes(trim($_REQUEST['character']));
 	if(empty($code) || empty($character))
 		echo 'Please enter code from e-mail and name of one character from account. Then press Submit.<BR>
 				<FORM ACTION="' . getLink('account/lost') . '?action=checkcode" METHOD=post>
 				<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
 				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Code & character name</B></TD></TR>
 				<TR><TD BGCOLOR="'.$config['darkborder'].'">
 				Your code:&nbsp;<INPUT TYPE=text NAME="code" VALUE="" SIZE="40")><BR />
 				Character:&nbsp;<INPUT TYPE=text NAME="character" VALUE="" SIZE="40")><BR />
 				</TD></TR>
 				</TABLE>
 				<BR>
 				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 				' . $twig->render('buttons.submit.html.twig') . '</div>
 				</TD></TR></FORM></TABLE></TABLE>';
 	else
 	{
 		$player = new OTS_Player();
 		$account = new OTS_Account();
 		$player->find($character);
 		if($player->isLoaded())
 			$account = $player->getAccount();
 		if($account->isLoaded())
 		{
 			if($account->getCustomField('email_code') == $code)
 			{
 				echo '<script type="text/javascript">
 				function validate_required(field,alerttxt)
 				{
 				with (field)
 				{
 				if (value==null||value==""||value==" ")
 				  {alert(alerttxt);return false;}
 				else {return true}
 				}
 				}
 				function validate_form(thisform)
 				{
 				with (thisform)
 				{
 				if (validate_required(passor,"Please enter password!")==false)
 				  {passor.focus();return false;}
 				if (validate_required(passor2,"Please repeat password!")==false)
 				  {passor2.focus();return false;}
 				if (passor2.value!=passor.value)
 				  {alert(\'Repeated password is not equal to password!\');return false;}
 				}
 				}
 				</script>
 				Please enter new password to your account and repeat to make sure you remember password.<BR>
 				<FORM ACTION="' . getLink('account/lost') . '?action=setnewpassword" onsubmit="return validate_form(this)" METHOD=post>
 				<INPUT TYPE=hidden NAME="character" VALUE="'.$character.'">
 				<INPUT TYPE=hidden NAME="code" VALUE="'.$code.'">
 				<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
 				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Code & account name</B></TD></TR>
 				<TR><TD BGCOLOR="'.$config['darkborder'].'">
 				New password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<INPUT TYPE=password ID="passor" NAME="passor" VALUE="" SIZE="40")><BR />
 				Repeat new password:&nbsp;<INPUT TYPE=password ID="passor2" NAME="passor2" VALUE="" SIZE="40")><BR />
 				</TD></TR>
 				</TABLE>
 				<BR>
 				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 				' . $twig->render('buttons.submit.html.twig') . '</div>
 				</TD></TR></FORM></TABLE></TABLE>';
 			}
 			else
 				$error= 'Wrong code to change password.';
 		}
 		else
 			$error = 'Account of this character or this character doesn\'t exist.';
 	}
 	if(!empty($error))
 				echo '<span style="color: red"><b>'.$error.'</b></span><br />Please enter code from e-mail and name of one character from account. Then press Submit.<BR>
 				<FORM ACTION="' . getLink('account/lost') . '?action=checkcode" METHOD=post>
 				<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
 				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Code & character name</B></TD></TR>
 				<TR><TD BGCOLOR="'.$config['darkborder'].'">
 				Your code:&nbsp;<INPUT TYPE=text NAME="code" VALUE="" SIZE="40")><BR />
 				Character:&nbsp;<INPUT TYPE=text NAME="character" VALUE="" SIZE="40")><BR />
 				</TD></TR>
 				</TABLE>
 				<BR>
 				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 				' . $twig->render('buttons.submit.html.twig') . '</div>
 				</TD></TR></FORM></TABLE></TABLE>';
 }
 elseif($action == 'setnewpassword')
 {
 	$newpassword = $_REQUEST['passor'];
 	$code = $_REQUEST['code'];
 	$character = stripslashes($_REQUEST['character']);
 	echo '';
 	if(empty($code) || empty($character) || empty($newpassword))
 		echo '<span style="color: red"><b>Error. Try again.</b></span><br />Please enter code from e-mail and name of one character from account. Then press Submit.<BR>
 				<BR><FORM ACTION="' . getLink('account/lost') . '?action=checkcode" METHOD=post>
 				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 				<INPUT TYPE=image NAME="Back" ALT="Back" SRC="'.$template_path.'/images/global/buttons/sbutton_back.gif" BORDER=0 WIDTH=120 HEIGHT=18></div>
 				</TD></TR></FORM></TABLE></TABLE>';
 	else
 	{
 		$player = new OTS_Player();
 		$account = new OTS_Account();
 		$player->find($character);
 		if($player->isLoaded())
 			$account = $player->getAccount();
 		if($account->isLoaded())
 		{
 			if($account->getCustomField('email_code') == $code)
 			{
 				if(Validator::password($newpassword))
 				{
 					$tmp_new_pass = $newpassword;
 					if(USE_ACCOUNT_SALT)
 					{
 						$salt = generateRandomString(10, false, true, true);
 						$tmp_new_pass  = $salt . $newpassword;
 						$account->setCustomField('salt', $salt);
 					}
 					$account->setPassword(encrypt($tmp_new_pass ));
 					$account->save();
 					$account->setCustomField('email_code', '');
 					echo 'New password to your account is below. Now you can login.<BR>
 					<INPUT TYPE=hidden NAME="character" VALUE="'.$character.'">
 					<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
 					<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Changed password</B></TD></TR>
 					<TR><TD BGCOLOR="'.$config['darkborder'].'">
 					New password:&nbsp;<b>'.$newpassword.'</b><BR />
 					Account name:&nbsp;&nbsp;&nbsp;<i>(Already on your e-mail)</i><BR />';
 					$mailBody = '
 					<h3>Your account name and password!</h3>
 					<p>Changed password to your account in Lost Account Interface on server <a href="'.BASE_URL.'"><b>'.$config['lua']['serverName'].'</b></a></p>
 					<p>Account name: <b>'.$account->getName().'</b></p>
 					<p>New password: <b>'.$newpassword.'</b></p>
 					<br />
 					<p><u>It\'s automatic e-mail from OTS Lost Account System. Do not reply!</u></p>';
 					if(_mail($account->getCustomField('email'), $config['lua']['serverName']." - Your new password", $mailBody))
 					{
 						echo '<br /><small>New password work! Sent e-mail with your password and account name. You should receive this e-mail in 15 minutes. You can login now with new password!';
 					}
 					else
 					{
 						echo '<br /><p class="error">New password work! An error occurred while sending email! You will not receive e-mail with new password. For Admin: More info can be found in system/logs/mailer-error.log';
 					}
 				echo '</TD></TR>
 				</TABLE>
 				<BR>
 				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 				<FORM ACTION="' . getLink('account/manage') . '" METHOD=post>
 				<INPUT TYPE=image NAME="Login" ALT="Login" SRC="'.$template_path.'/images/global/buttons/sbutton_login.gif" BORDER=0 WIDTH=120 HEIGHT=18></div>
 				</TD></TR></FORM></TABLE></TABLE>';
 				}
 				else
 					$error= Validator::getLastError();
 			}
 			else
 				$error= 'Wrong code to change password.';
 		}
 		else
 			$error = 'Account of this character or this character doesn\'t exist.';
 	}
 	if(!empty($error))
 				echo '<span style="color: red"><b>'.$error.'</b></span><br />Please enter code from e-mail and name of one character from account. Then press Submit.<BR>
 				<FORM ACTION="' . getLink('account/lost') . '?action=checkcode" METHOD=post>
 				<TABLE CELLSPACING=1 CELLPADDING=4 BORDER=0 WIDTH=100%>
 				<TR><TD BGCOLOR="'.$config['vdarkborder'].'" class="white"><B>Code & character name</B></TD></TR>
 				<TR><TD BGCOLOR="'.$config['darkborder'].'">
 				Your code:&nbsp;<INPUT TYPE=text NAME="code" VALUE="" SIZE="40")><BR />
 				Character:&nbsp;<INPUT TYPE=text NAME="character" VALUE="" SIZE="40")><BR />
 				</TD></TR>
 				</TABLE>
 				<BR>
 				<TABLE CELLSPACING=0 CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD><div style="text-align:center">
 				' . $twig->render('buttons.submit.html.twig') . '</div>
 				</TD></TR></FORM></TABLE></TABLE>';
 }
--- a/system/pages/account/lost/base.php
+++ b/system/pages/account/lost/base.php
@@ -1,18 +0,0 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 function lostAccountWriteCooldown(string $nick, int $time): void
 {
 	global $twig;
 	$inSec = $time - time();
 	$minutesLeft = floor($inSec / 60);
 	$secondsLeft = $inSec - ($minutesLeft * 60);
 	$timeLeft = "$minutesLeft minutes $secondsLeft seconds";
 	$timeRounded = ceil(setting('core.mail_lost_account_interval') / 60);
 	$twig->display('error_box.html.twig', [
 		'errors' => ["Account of selected character (<b>" . escapeHtml($nick) . "</b>) received e-mail in last $timeRounded minutes. You must wait $timeLeft before you can use Lost Account Interface again."]
 	]);
 }
--- a/system/pages/account/lost/check-code.php
+++ b/system/pages/account/lost/check-code.php
@@ -1,51 +0,0 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 csrfProtect();
 $title = 'Lost Account';
 $code = $_REQUEST['code'] ?? '';
 $character = $_REQUEST['character'] ?? '';
 if(empty($code) || empty($character)) {
 	$twig->display('account/lost/check-code.html.twig', [
 		'code' => $code,
 		'characters' => $character,
 	]);
 }
 else {
 	$player = new OTS_Player();
 	$account = new OTS_Account();
 	$player->find($character);
 	if($player->isLoaded()) {
 		$account = $player->getAccount();
 	}
 	if($account->isLoaded()) {
 		if($account->getCustomField('email_code') == $code) {
 			$twig->display('account/lost/check-code.finish.html.twig', [
 				'character' => $character,
 				'code' => $code,
 			]);
 		}
 		else {
 			$error = 'Wrong code to change password.';
 		}
 	}
 	else {
 		$error = "Account of this character or this character doesn't exist.";
 	}
 }
 if(!empty($error)) {
 	$twig->display('error_box.html.twig', [
 		'errors' => [$error],
 	]);
 	echo '<br/>';
 	$twig->display('account/lost/check-code.html.twig', [
 	]);
 }
--- a/system/pages/account/lost/email/send-code.php
+++ b/system/pages/account/lost/email/send-code.php
@@ -1,75 +0,0 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 csrfProtect();
 require __DIR__ . '/../base.php';
 $title = 'Lost Account';
 $email = $_POST['email'] ?? '';
 $nick = $_POST['nick'] ?? '';
 $player = new OTS_Player();
 $account = new OTS_Account();
 $player->find($nick);
 if($player->isLoaded()) {
 	$account = $player->getAccount();
 }
 if($account->isLoaded()) {
 	if($account->getCustomField('email_next') < time()) {
 		if($account->getEMail() == $email) {
 			$newCode = generateRandomString(30, true, false, true);
 			$mailBody = $twig->render('mail.account.lost.code.html.twig', [
 				'newCode' => $newCode,
 				'account' => $account,
 				'nick' => $nick,
 			]);
 			$accountEMail = $account->getCustomField('email');
 			if(_mail($accountEMail, configLua('serverName') . ' - Recover your account', $mailBody)) {
 				$account->setCustomField('email_code', $newCode);
 				$account->setCustomField('email_next', (time() + setting('core.mail_lost_account_interval')));
 				$twig->display('success.html.twig', [
 					'title' => 'Email has been sent',
 					'description' => 'Details about steps required to recover your account has been sent to <b>' . $accountEMail . '</b>. You should receive this email within 15 minutes. Please check your inbox/spam directory.',
 					'custom_buttons' => '',
 				]);
 				$twig->display('account.back_button.html.twig', [
 					'new_line' => true,
 					'center' => true,
 					'action' => getLink('news'),
 				]);
 				return;
 			}
 			$account->setCustomField('email_next', (time() + 60));
 			error('An error occurred while sending email! Try again later or contact with admin. For Admin: More info can be found in system/logs/mailer-error.log</p>');
 		}
 		else {
 			$errors[] = 'Invalid e-mail to account of character <b>' . escapeHtml($nick) . '</b>. Try again.';
 		}
 	}
 	else {
 		lostAccountWriteCooldown($nick, (int)$account->getCustomField('email_next'));
 	}
 }
 else {
 	$errors[] =  "Player or account of player <b>" . escapeHtml($nick) . "</b> doesn't exist.";
 }
 if (!empty($errors)) {
 	$twig->display('error_box.html.twig', [
 		'errors' => $errors,
 	]);
 }
 $twig->display('account.back_button.html.twig', [
 	'new_line' => true,
 	'center' => true,
 	'action' => getLink('account/lost/step-1') . '?action=email&nick=' . urlencode($nick),
 ]);
--- a/system/pages/account/lost/email/set-new-password.php
+++ b/system/pages/account/lost/email/set-new-password.php
@@ -1,128 +0,0 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 csrfProtect();
 $title = 'Lost Account';
 $newPassword = $_POST['password'] ?? '';
 $passwordRepeat = $_POST['password_repeat'] ?? '';
 $code = $_POST['code'] ?? '';
 $character = $_POST['character'] ?? '';
 if(empty($code) || empty($character)) {
 	$errors[] = 'Please enter code from e-mail and name of one character from account.';
 	$twig->display('error_box.html.twig', [
 		'errors' => $errors,
 	]);
 	$twig->display('account/lost/check-code.html.twig', [
 		'code' => $code,
 		'character' => $character,
 	]);
 	$twig->display('account.back_button.html.twig', [
 		'new_line' => true,
 		'center' => true,
 		'action' => getLink('account/lost/check-code')
 	]);
 	return;
 }
 if (empty($newPassword) || empty($passwordRepeat)) {
 	$errors[] = 'Please enter both passwords.';
 	$twig->display('error_box.html.twig', [
 		'errors' => $errors,
 	]);
 	$twig->display('account/lost/check-code.finish.html.twig', [
 		'character' => $character,
 		'code' => $code,
 	]);
 	return;
 }
 $player = new OTS_Player();
 $account = new OTS_Account();
 $player->find($character);
 if($player->isLoaded()) {
 	$account = $player->getAccount();
 }
 $passwordFailed = false;
 if($account->isLoaded()) {
 	if($account->getCustomField('email_code') == $code) {
 		if ($newPassword == $passwordRepeat) {
 			if (Validator::password($newPassword)) {
 				$hooks->trigger(HOOK_ACCOUNT_LOST_EMAIL_SET_NEW_PASSWORD_POST);
 				if (empty($errors)) {
 					$tmp_new_pass = $newPassword;
 					if (USE_ACCOUNT_SALT) {
 						$salt = generateRandomString(10, false, true, true);
 						$tmp_new_pass = $salt . $newPassword;
 						$account->setCustomField('salt', $salt);
 					}
 					$account->setPassword(encrypt($tmp_new_pass));
 					$account->save();
 					$account->setCustomField('email_code', '');
 					$mailBody = $twig->render('mail.account.lost.new-password.html.twig', [
 						'account' => $account,
 						'newPassword' => $newPassword,
 					]);
 					$statusMsg = '';
 					if (_mail($account->getCustomField('email'), configLua('serverName') . ' - Your new password', $mailBody)) {
 						$statusMsg = '<br /><small>New password work! Sent e-mail with your password and account name. You should receive this e-mail in 15 minutes. You can login now with new password!';
 					} else {
 						$statusMsg = '<br /><p class="error">New password work! An error occurred while sending email! You will not receive e-mail with new password. For Admin: More info can be found in system/logs/mailer-error.log';
 					}
 					$twig->display('account/lost/finish.new-password.html.twig', [
 						'statusMsg' => $statusMsg,
 						'newPassword' => $newPassword,
 					]);
 				}
 			} else {
 				$passwordFailed = true;
 				$errors[] = Validator::getLastError();
 			}
 		}
 		else {
 			$passwordFailed = true;
 			$errors[] = 'Passwords are not the same!';
 		}
 	}
 	else {
 		$errors[] = 'Wrong code to change password.';
 	}
 }
 else {
 	$errors[] = "Account of this character or this character doesn't exist.";
 }
 if(!empty($errors)) {
 	$twig->display('error_box.html.twig', [
 		'errors' => $errors,
 	]);
 	echo '<br/>';
 	$template = 'account/lost/check-code.html.twig';
 	if($passwordFailed) {
 		$template = 'account/lost/check-code.finish.html.twig';
 	}
 	$twig->display($template, [
 		'code' => $code,
 		'character' => $character,
 	]);
 }
--- a/system/pages/account/lost/email/step-1.php
+++ b/system/pages/account/lost/email/step-1.php
@@ -1,36 +0,0 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 require __DIR__ . '/../base.php';
 csrfProtect();
 $title = 'Lost Account';
 $nick = $_REQUEST['nick'] ?? '';
 if($account->isLoaded()) {
 	if($account->getCustomField('email_next') < time()) {
 		$twig->display('account/lost/email.html.twig', [
 			'nick' => $nick,
 		]);
 	}
 	else {
 		lostAccountWriteCooldown($nick, (int)$account->getCustomField('email_next'));
 	}
 }
 else {
 	$errors[] = "Player or account of player <b>" . escapeHtml($nick) . "</b> doesn't exist.";
 }
 if (!empty($errors)) {
 	$twig->display('error_box.html.twig', [
 		'errors' => $errors,
 	]);
 }
 $twig->display('account.back_button.html.twig', [
 	'new_line' => true,
 	'center' => true,
 	'action' => getLink('account/lost'),
 ]);
--- a/system/pages/account/lost/recovery-key/step-1.php
+++ b/system/pages/account/lost/recovery-key/step-1.php
@@ -1,38 +0,0 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 csrfProtect();
 $title = 'Lost Account';
 $nick = $_REQUEST['nick'] ?? '';
 $key = $_REQUEST['key'] ?? '';
 if($account->isLoaded()) {
 	$account_key = $account->getCustomField('key');
 	if(!empty($account_key)) {
 		$twig->display('account/lost/recovery-key.step-1.html.twig', [
 			'nick' => $nick,
 			'key' => $key,
 		]);
 	}
 	else {
 		$errors[] = 'Account of this character has no recovery key!';
 	}
 }
 else {
 	$errors[] = "Player or account of player <b>" . escapeHtml($nick) . "</b> doesn't exist.";
 }
 if (!empty($errors)) {
 	$twig->display('error_box.html.twig', [
 		'errors' => $errors,
 	]);
 }
 $twig->display('account.back_button.html.twig', [
 	'new_line' => true,
 	'center' => true,
 	'action' => getLink('account/lost'),
 ]);
--- a/system/pages/account/lost/recovery-key/step-2.php
+++ b/system/pages/account/lost/recovery-key/step-2.php
@@ -1,49 +0,0 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 csrfProtect();
 $title = 'Lost Account';
 $key = $_REQUEST['key'] ?? '';
 $nick = $_REQUEST['nick'] ?? '';
 $player = new OTS_Player();
 $account = new OTS_Account();
 $player->find($nick);
 if($player->isLoaded()) {
 	$account = $player->getAccount();
 }
 if($account->isLoaded()) {
 	$accountKey = $account->getCustomField('key');
 	if(!empty($accountKey)) {
 		if($accountKey == $key) {
 			$twig->display('account/lost/recovery-key.step-2.html.twig', [
 				'nick' => $nick,
 				'key' => $key,
 			]);
 		}
 		else {
 			$errors[] = 'Wrong recovery key!';
 		}
 	}
 	else {
 		$errors[] = 'Account of this character has no recovery key!';
 	}
 }
 else {
 	$errors[] = "Player or account of player <b>" . escapeHtml($nick) . "</b> doesn't exist.";
 }
 if (!empty($errors)) {
 	$twig->display('error_box.html.twig', [
 		'errors' => $errors,
 	]);
 }
 $twig->display('account.back_button.html.twig', [
 	'new_line' => true,
 	'center' => true,
 	'action' => getLink('account/lost/step-1') . '?action=recovery-key&nick=' . urlencode($nick) . '&key=' . urlencode($key),
 ]);
--- a/system/pages/account/lost/recovery-key/step-3.php
+++ b/system/pages/account/lost/recovery-key/step-3.php
@@ -1,117 +0,0 @@
 <?php
 use MyAAC\Models\Account as AccountModel;
 defined('MYAAC') or die('Direct access not allowed!');
 csrfProtect();
 $title = 'Lost Account';
 $key = $_POST['key'];
 $nick = $_POST['nick'] ?? '';
 $newPassword = $_POST['password'] ?? '';
 $passwordRepeat = $_POST['password_repeat'] ?? '';
 $newEmail = $_POST['email'] ?? '';
 $player = new OTS_Player();
 $account = new OTS_Account();
 $player->find($nick);
 if($player->isLoaded()) {
 	$account = $player->getAccount();
 }
 if($account->isLoaded()) {
 	$accountKey = $account->getCustomField('key');
 	if(!empty($accountKey)) {
 		if($accountKey == $key) {
 			if(Validator::password($newPassword)) {
 				if ($newPassword == $passwordRepeat) {
 					if (Validator::email($newEmail)) {
 						$emailExists = AccountModel::where('email', $newEmail)->count() > 0;
 						if (!$emailExists) {
 							$hooks->trigger(HOOK_ACCOUNT_LOST_RECOVERY_KEY_STEP_3_POST);
 							if (empty($errors)) {
 								$account->setEMail($newEmail);
 								$tmp_new_pass = $newPassword;
 								if (USE_ACCOUNT_SALT) {
 									$salt = generateRandomString(10, false, true, true);
 									$tmp_new_pass = $salt . $newPassword;
 								}
 								$account->setPassword(encrypt($tmp_new_pass));
 								$account->save();
 								if (USE_ACCOUNT_SALT) {
 									$account->setCustomField('salt', $salt);
 								}
 								$statusMsg = '';
 								if ($account->getCustomField('email_next') < time()) {
 									$mailBody = $twig->render('mail.account.lost.new-email.html.twig', [
 										'account' => $account,
 										'newPassword' => $newPassword,
 										'newEmail' => $newEmail,
 									]);
 									if (_mail($account->getCustomField('email'), configLua('serverName') . ' - New password to your account', $mailBody)) {
 										$statusMsg = '<br /><small>Sent e-mail with your account name and password to new e-mail. You should receive this e-mail in 15 minutes. You can login now with new password!</small>';
 									} else {
 										$statusMsg = '<br /><p class="error">An error occurred while sending email! You will not receive e-mail with this informations. For Admin: More info can be found in system/logs/mailer-error.log</p>';
 									}
 								} else {
 									$statusMsg = '<br /><small>You will not receive e-mail with this informations.</small>';
 								}
 								$twig->display('account/lost/finish.new-email.html.twig', [
 									'statusMsg' => $statusMsg,
 									'account' => $account,
 									'newPassword' => $newPassword,
 									'newEmail' => $newEmail,
 								]);
 								return;
 							}
 						}
 						else {
 							$errors[] = 'This email is already registered!';
 						}
 					} else {
 						$errors[] = Validator::getLastError();
 					}
 				}
 				else {
 					$errors[] = 'Passwords are not the same!';
 				}
 			}
 			else {
 				$errors[] = Validator::getLastError();
 			}
 		}
 		else {
 			$errors[] = 'Wrong recovery key!';
 		}
 	}
 	else {
 		$errors[] = 'Account of this character has no recovery key!';
 	}
 }
 else {
 	$errors[] = "Player or account of player <b>" . escapeHtml($nick) . "</b> doesn't exist.";
 }
 if (!empty($errors)) {
 	$twig->display('error_box.html.twig', [
 		'errors' => $errors,
 	]);
 }
 $twig->display('account.back_button.html.twig', [
 	'new_line' => true,
 	'center' => true,
 	'action' => getLink('account/lost/recovery-key/step-2') . '?nick=' . urlencode($nick) . '&key=' . urlencode($key),
 ]);
--- a/system/pages/account/lost/step-1.php
+++ b/system/pages/account/lost/step-1.php
@@ -1,26 +0,0 @@
 <?php
 defined('MYAAC') or die('Direct access not allowed!');
 csrfProtect();
 $title = 'Lost Account';
 $nick = $_REQUEST['nick'] ?? '';
 $player = new OTS_Player();
 $account = new OTS_Account();
 $player->find($nick);
 if($player->isLoaded()) {
 	$account = $player->getAccount();
 }
 if (ACTION == 'email') {
 	require __DIR__ . '/email/step-1.php';
 }
 else if (ACTION == 'recovery-key') {
 	require __DIR__ . '/recovery-key/step-1.php';
 }
 else {
 	$twig->display('account/lost/no-action.html.twig');
 }
--- a/system/pages/account/manage.php
+++ b/system/pages/account/manage.php
@@ -8,9 +8,6 @@
 * @copyright 2019 MyAAC
 * @link      https://my-aac.org
 */
 use MyAAC\TwoFactorAuth\TwoFactorAuth;
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Account Management';
@@ -99,8 +96,12 @@ if($email_new_time > 1)
 	}
 }
-$actions = $account_logged->getActionsLog(1000);
+$actions = array();
 foreach($account_logged->getActionsLog(0, 1000) as $action) {
 	$actions[] = array('action' => $action['action'], 'date' => $action['date'], 'ip' => $action['ip'] != 0 ? long2ip($action['ip']) : inet_ntop($action['ipv6']));
 }
 $players = array();
 /** @var OTS_Players_List $account_players */
 $account_players = $account_logged->getPlayersList();
 $account_players->orderBy('id');
@@ -119,8 +120,6 @@ $twig->display('account.management.html.twig', array(
 	'account_registered' => $account_registered,
 	'account_rlname' => $account_rlname,
 	'account_location' => $account_location,
 	'twoFactorViews' => TwoFactorAuth::getInstance($account_logged)->getAccountManageViews(),
 	'actions' => $actions,
-	'players' => $account_players,
+	'players' => $account_players
 ));
--- a/system/pages/account/register-new.php
+++ b/system/pages/account/register-new.php
@@ -37,7 +37,7 @@ else
 			if($points >= setting('core.account_generate_new_reckey_price'))
 			{
 				$show_form = false;
-				$new_rec_key = generateRecoveryKey();
+				$new_rec_key = generateRandomString(10, false, true, true);
 				$mailBody = $twig->render('mail.account.register.html.twig', array(
 					'recovery_key' => $new_rec_key
--- a/system/pages/account/register.php
+++ b/system/pages/account/register.php
@@ -27,7 +27,7 @@ if(isset($_POST['registeraccountsave']) && $_POST['registeraccountsave'] == "1")
 	if($reg_password == $account_logged->getPassword()) {
 		if(empty($old_key)) {
 			$show_form = false;
-			$new_rec_key = generateRecoveryKey();
+			$new_rec_key = generateRandomString(10, false, true, true);
 			$account_logged->setCustomField("key", $new_rec_key);
 			$account_logged->logAction('Generated recovery key.');
--- a/system/pages/characters.php
+++ b/system/pages/characters.php
@@ -452,8 +452,10 @@ WHERE killers.death_id = '".$death['id']."' ORDER BY killers.final_hit DESC, kil
 	if($query->rowCount() > 0) {
 		echo 'Did you mean:<ul>';
 		foreach($query as $player) {
-			$player['vocation'] = OTS_Toolbox::getVocationFromPromotion($player['vocation'], $player['promotion'] ?? 0);
+			if(isset($player['promotion'])) {
-
+				if((int)$player['promotion'] > 0)
 					$player['vocation'] += ($player['promotion'] * $config['vocations_amount']);
 			}
 			echo '<li>' . getPlayerLink($player['name']) . ' (<small><strong>level ' . $player['level'] . ', ' . $config['vocations'][$player['vocation']] . '</strong></small>)</li>';
 		}
 		echo '</ul>';
--- a/system/pages/forum/show_board.php
+++ b/system/pages/forum/show_board.php
@@ -42,12 +42,35 @@ for($i = 0; $i < $threads_count['threads_count'] / setting('core.forum_threads_p
 		$links_to_pages .= '<b>'.($i + 1).' </b>';
 }
 echo '<a href="' . getLink('forum') . '">Boards</a> >> <b>'.escapeHtml($sections[$section_id]['name']).'</b>';
 if($logged && (!$sections[$section_id]['closed'] || Forum::isModerator())) {
 	echo '<br /><br />
 		<a href="' . getLink('forum') . '?action=new_thread&section_id='.$section_id.'"><img src="images/forum/topic.gif" border="0" /></a>';
 }
 echo '<br /><br />Page: '.$links_to_pages.'<br />';
 $last_threads = $db->query("SELECT `players`.`id` as `player_id`, `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`first_post`, `" . FORUM_TABLE_PREFIX . "forum`.`post_text`, `" . FORUM_TABLE_PREFIX . "forum`.`post_topic`, `" . FORUM_TABLE_PREFIX . "forum`.`id`, `" . FORUM_TABLE_PREFIX . "forum`.`last_post`, `" . FORUM_TABLE_PREFIX . "forum`.`replies`, `" . FORUM_TABLE_PREFIX . "forum`.`views`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` AND `" . FORUM_TABLE_PREFIX . "forum`.`section` = ".$section_id." AND `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = `" . FORUM_TABLE_PREFIX . "forum`.`id` ORDER BY `" . FORUM_TABLE_PREFIX . "forum`.`last_post` DESC LIMIT ".setting('core.forum_threads_per_page')." OFFSET ".($_page * setting('core.forum_threads_per_page')))->fetchAll(PDO::FETCH_ASSOC);
-$threads = [];
+if(isset($last_threads[0])) {
-if(count($last_threads) > 0) {
+	echo '<table width="100%">
 <tr bgcolor="'.$config['vdarkborder'].'" align="center">
 <td class="white">
 <span style="font-size: 10px"><b>Thread</b></span></td>
 <td><span style="font-size: 10px"><b>Thread Starter</b></span></td>
 <td><span style="font-size: 10px"><b>Replies</b></span></td>
 <td><span style="font-size: 10px"><b>Views</b></span></td>
 <td><span style="font-size: 10px"><b>Last Post</b></span></td>
 </tr>';
 	$player = new OTS_Player();
 	foreach($last_threads as $thread) {
 		echo '<tr bgcolor="' . getStyle($number_of_rows++) . '"><td>';
 		if(Forum::isModerator()) {
 			echo '<a href="' . getLink('forum') . '?action=move_thread&id=' . $thread['id'] . '" title="Move Thread"><img src="images/icons/arrow_right.gif"/></a>';
 			$twig->display('forum.remove_post.html.twig', ['post' => $thread]);
 		}
 		$player->load($thread['player_id']);
 		if(!$player->isLoaded()) {
 			throw new RuntimeException('Forum error: Player not loaded.');
@@ -56,29 +79,28 @@ if(count($last_threads) > 0) {
 		$player_account = $player->getAccount();
 		$canEditForum = $player_account->hasFlag(FLAG_CONTENT_FORUM) || $player_account->isAdmin();
-		$thread['link'] = getForumThreadLink($thread['id']);
+		echo '<a href="' . getForumThreadLink($thread['id']) . '">'.htmlspecialchars($thread['post_topic']). '</a><br /><small>'.($canEditForum ? substr(strip_tags($thread['post_text']), 0, 50) : htmlspecialchars(substr($thread['post_text'], 0, 50))).'...</small></td><td>' . getPlayerLink($thread['name']) . '</td><td>'.(int) $thread['replies'].'</td><td>'.(int) $thread['views'].'</td><td>';
 		$thread['post_shortened'] = ($canEditForum ? substr(strip_tags($thread['post_text']), 0, 50) : htmlspecialchars(substr($thread['post_text'], 0, 50)));
 		$thread['player'] = $player;
 		$thread['player_link'] = getPlayerLink($thread['name']);
 		if($thread['last_post'] > 0) {
 			$last_post = $db->query("SELECT `players`.`name`, `" . FORUM_TABLE_PREFIX . "forum`.`post_date` FROM `players`, `" . FORUM_TABLE_PREFIX . "forum` WHERE `" . FORUM_TABLE_PREFIX . "forum`.`first_post` = ".(int) $thread['id']." AND `players`.`id` = `" . FORUM_TABLE_PREFIX . "forum`.`author_guid` ORDER BY `post_date` DESC LIMIT 1")->fetch();
-			$last_post['player_link'] = getPlayerLink($last_post['name']);
+			if(isset($last_post['name'])) {
-			$thread['latest_post'] = $last_post;
+				echo date('d.m.y H:i:s', $last_post['post_date']) . '<br />by ' . getPlayerLink($last_post['name']);
 			}
 			else {
 				echo 'No posts.';
 			}
 		}
 		else {
 			echo date('d.m.y H:i:s', $thread['post_date']) . '<br />by ' . getPlayerLink($thread['name']);
 		}
 		echo '</td></tr>';
 	}
-		$threads[] = $thread;
+	echo '</table>';
 	if($logged && (!$sections[$section_id]['closed'] || Forum::isModerator())) {
 		echo '<br /><a href="' . getLink('forum') . '?action=new_thread&section_id=' . $section_id . '"><img src="images/forum/topic.gif" border="0" /></a>';
 	}
 }
-
+else {
-$twig->display('forum.show_board.html.twig', [
+	echo '<h3>No threads in this board.</h3>';
-	'threads' => $threads,
+}
 	'section_id' => $section_id,
 	'section_name' => $sections[$section_id]['name'],
 	'links_to_pages' => $links_to_pages,
 	'is_moderator' => Forum::isModerator(),
 	'closed' => $sections[$section_id]['closed'],
 ]);
--- a/system/pages/gallery.php
+++ b/system/pages/gallery.php
@@ -9,25 +9,316 @@
 */
 use MyAAC\Cache\Cache;
 use MyAAC\Models\Gallery as ModelsGallery;
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Gallery';
-const ALLOWED_EXTENSIONS = ['jpg', 'jpeg', 'png', 'gif', 'webp'];
+$canEdit = hasFlag(FLAG_CONTENT_GALLERY) || superAdmin();
 if($canEdit) {
 	if(function_exists('imagecreatefrompng')) {
 		if (!empty($action)) {
 			if ($action == 'delete' || $action == 'edit' || $action == 'hide' || $action == 'moveup' || $action == 'movedown')
 				$id = $_REQUEST['id'];
-$images = Cache::remember('gallery', 5 * 60, function () {
+			if (isset($_REQUEST['comment']))
-	$images = glob(BASE . GALLERY_DIR . '*.*');
+				$comment = stripslashes($_REQUEST['comment']);
-	$images = array_filter($images, function ($image) {
+			if (isset($_REQUEST['image']))
-		$ext = pathinfo($image, PATHINFO_EXTENSION);
+				$image = $_REQUEST['image'];
-		return (in_array($ext, ALLOWED_EXTENSIONS) && !str_contains($image, '_thumb'));
+			if (isset($_REQUEST['author']))
-	});
+				$author = $_REQUEST['author'];
-	return array_map(function ($image) {
+			$errors = array();
-		return basename($image);
+
-	}, $images);
+			if ($action == 'add') {
 				if (Gallery::add($comment, $image, $author, $errors))
 					$comment = $image = $author = '';
 			} else if ($action == 'delete') {
 				Gallery::delete($id, $errors);
 			} else if ($action == 'edit') {
 				if (isset($id) && !isset($name)) {
 					$tmp = Gallery::get($id);
 					$comment = $tmp['comment'];
 					$image = $tmp['image'];
 					$author = $tmp['author'];
 				} else {
 					Gallery::update($id, $comment, $image, $author);
 					$action = $comment = $image = $author = '';
 				}
 			} else if ($action == 'hide') {
 				Gallery::toggleHide($id, $errors);
 			} else if ($action == 'moveup') {
 				Gallery::move($id, -1, $errors);
 			} else if ($action == 'movedown') {
 				Gallery::move($id, 1, $errors);
 			}
 			if (!empty($errors))
 				$twig->display('error_box.html.twig', array('errors' => $errors));
 		}
 		if(!isset($_GET['image'])) {
 			$twig->display('gallery.form.html.twig', array(
 				'link' => getLink('gallery/' . ($action == 'edit' ? 'edit' : 'add')),
 				'action' => $action,
 				'id' => isset($id) ? $id : null,
 				'comment' => isset($comment) ? $comment : null,
 				'image' => isset($image) ? $image : null,
 				'author' => isset($author) ? $author : null
 			));
 		}
 	}
 	else
 		echo 'You cannot edit/add gallery items as it seems your PHP installation doesnt have GD support enabled. Visit <a href="http://be2.php.net/manual/en/image.installation.php">PHP Manual</a> for more info.';
 }
 if(isset($_GET['image']))
 {
 	$image = $db->query('SELECT * FROM `' . TABLE_PREFIX . 'gallery`  WHERE `id` = ' . $db->quote($_GET['image']) . ' ORDER by `ordering` LIMIT 1;');
 	if($image->rowCount() == 1)
 		$image = $image->fetch();
 	else
 	{
 		echo 'Image with this id does not exists.';
 		return;
 	}
 	$previous_image = $db->query('SELECT `id` FROM `' . TABLE_PREFIX . 'gallery` WHERE `id` = ' . $db->quote($image['id'] - 1) . ' ORDER by `ordering`;');
 	if($previous_image->rowCount() == 1)
 		$previous_image = $previous_image->fetch();
 	else
 		$previous_image = NULL;
 	$next_image = $db->query('SELECT `id` FROM `' . TABLE_PREFIX . 'gallery` WHERE `id` = ' . $db->quote($image['id'] + 1) . ' ORDER by `ordering`;');
 	if($next_image->rowCount() == 1)
 		$next_image = $next_image->fetch();
 	else
 		$next_image = NULL;
 	$twig->display('gallery.get.html.twig', array(
 		'previous' => $previous_image ? $previous_image['id'] : null,
 		'next' => $next_image ? $next_image['id'] : null,
 		'image' => $image
 	));
 	return;
 }
 $images = Cache::remember('gallery_' . ($canEdit ? '1' : '0'), 60, function () use ($db, $canEdit) {
 	return $db->query('SELECT `id`, `comment`, `image`, `author`, `thumb`' .
 		($canEdit ? ', `hide`, `ordering`' : '') .
 		' FROM `' . TABLE_PREFIX . 'gallery`' .
 		(!$canEdit ? ' WHERE `hide` != 1' : '') .
 		' ORDER BY `ordering`;')->fetchAll(PDO::FETCH_ASSOC);
 });
-$twig->display('gallery.html.twig', [
+$last = count($images);
 if(!$last)
 {
 ?>
 	There are no images added to gallery yet.
 <?php
 	return;
 }
 $twig->display('gallery.html.twig', array(
 	'images' => $images,
-]);
+	'last' => $last,
 	'canEdit' => $canEdit
 ));
 class Gallery
 {
 	static public function add($comment, $image, $author, &$errors)
 	{
 		global $db;
 		if(isset($comment[0]) && isset($image[0]) && isset($author[0]))
 		{
 			$query =
 				$db->query(
 					'SELECT `ordering`' .
 					' FROM `' . TABLE_PREFIX . 'gallery`' .
 					' ORDER BY `ordering`' . ' DESC LIMIT 1'
 				);
 			$ordering = 0;
 			if($query->rowCount() > 0) {
 				$query = $query->fetch();
 				$ordering = $query['ordering'] + 1;
 			}
 			$pathinfo = pathinfo($image);
 			$extension = strtolower($pathinfo['extension']);
 			$thumb_filename = GALLERY_DIR . $pathinfo['filename'] . '_thumb.' . $extension;
 			$filename = GALLERY_DIR . $pathinfo['filename'] . '.' . $extension;
 			if($db->insert(TABLE_PREFIX . 'gallery', array(
 				'comment' => $comment,
 				'image' => $filename, 'author' => $author,
 				'thumb' => $thumb_filename,
 				'ordering' => $ordering))) {
 				if(self::generateThumb($db->lastInsertId(), $image, $errors))
 					self::resize($image, 650, 500, $filename, $errors);
 			}
 		}
 		else
 			$errors[] = 'Please fill all inputs.';
 		return !count($errors);
 	}
 	static public function get($id) {
 		return ModelsGallery::find($id)->toArray();
 	}
 	static public function update($id, $comment, $image, $author) {
 		$pathinfo = pathinfo($image);
 		$extension = strtolower($pathinfo['extension']);
 		$filename = GALLERY_DIR . $pathinfo['filename'] . '.' . $extension;
 		if(ModelsGallery::where('id', $id)->update([
 			'comment' => $comment,
 			'image' => $filename,
 			'author' => $author
 		])) {
 			if(self::generateThumb($id, $image, $errors))
 				self::resize($image, 650, 500, $filename, $errors);
 		}
 	}
 	static public function delete($id, &$errors)
 	{
 		if(isset($id))
 		{
 			$row = ModelsGallery::find($id);
 			if($row)
 				if (!$row->delete()) {
 					$errors[] = 'Fail during delete Gallery';
 				}
 			else
 				$errors[] = 'Image with id ' . $id . ' does not exists.';
 		}
 		else
 			$errors[] = 'id not set';
 		return !count($errors);
 	}
 	static public function toggleHide($id, &$errors)
 	{
 		if(isset($id))
 		{
 			$row = ModelsGallery::find($id);
 			if($row) {
 				$row->hide = $row->hide == 1 ? 0 : 1;
 				if (!$row->save()) {
 					$errors[] = 'Fail during toggle hide Gallery';
 				}
 			} else
 				$errors[] = 'Image with id ' . $id . ' does not exists.';
 		}
 		else
 			$errors[] = 'id not set';
 		return !count($errors);
 	}
 	static public function move($id, $i, &$errors)
 	{
 		global $db;
 		$query = self::get($id);
 		if($query !== false)
 		{
 			$ordering = $query['ordering'] + $i;
 			$old_record = $db->select(TABLE_PREFIX . 'gallery', array('ordering' => $ordering));
 			if($old_record !== false) {
 				ModelsGallery::where('ordering', $ordering)->update([
 					'ordering' => $query['ordering'],
 				]);
 			}
 			ModelsGallery::where('id', $id)->update([
 				'ordering' => $ordering,
 			]);
 		}
 		else
 			$errors[] = 'Image with id ' . $id . ' does not exists.';
 		return !count($errors);
 	}
 	static public function resize($file, $new_width, $new_height, $new_file, &$errors)
 	{
 		$pathinfo = pathinfo($file);
 		$extension = strtolower($pathinfo['extension']);
 		switch ($extension)
 		{
 			case 'gif': // GIF
 				$image = imagecreatefromgif($file);
 				break;
 			case 'jpg': // JPEG
 			case 'jpeg':
 				$image = imagecreatefromjpeg($file);
 				break;
 			case 'png': // PNG
 				$image = imagecreatefrompng($file);
 				break;
 			default:
 				$errors[] = 'Unsupported file format.';
 				return false;
 		}
 		$width = imagesx($image);
 		$height = imagesy($image);
 		// create a new temporary image
 		$tmp_img = imagecreatetruecolor($new_width, $new_height);
 		// copy and resize old image into new image
 		imagecopyresized($tmp_img, $image, 0, 0, 0, 0, $new_width, $new_height, $width, $height);
 		// save thumbnail into a file
 		switch($extension)
 		{
 			case 'gif':
 				imagegif($tmp_img, $new_file);
 				break;
 			case 'jpg':
 			case 'jpeg':
 				imagejpeg($tmp_img, $new_file);
 				break;
 			case 'png':
 				imagepng($tmp_img, $new_file);
 				break;
 		}
 		return true;
 	}
 	static public function generateThumb($id, $file, &$errors)
 	{
 		$pathinfo = pathinfo($file);
 		$extension = strtolower($pathinfo['extension']);
 		$thumb_filename = GALLERY_DIR . $pathinfo['filename'] . '_thumb.' . $extension;
 		if(!self::resize($file, 170, 110, $thumb_filename, $errors))
 			return false;
 		if(isset($id))
 		{
 			$row = ModelsGallery::find($id);
 			if($row) {
 				$row->thumb = $thumb_filename;
 				$row->save();
 			} else
 				$errors[] = 'Image with id ' . $id . ' does not exists.';
 		}
 		else
 			$errors[] = 'id not set';
 		return !count($errors);
 	}
 }
--- a/system/pages/highscores.php
+++ b/system/pages/highscores.php
@@ -13,7 +13,6 @@ use MyAAC\Cache\Cache;
 use MyAAC\Models\Player;
 use MyAAC\Models\PlayerDeath;
 use MyAAC\Models\PlayerKillers;
 use MyAAC\Server\XML\Vocations;
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Highscores';
@@ -36,20 +35,24 @@ if(!is_numeric($page) || $page < 1 || $page > PHP_INT_MAX) {
 $query = Player::query();
 $configVocations = config('vocations');
 $configVocationsAmount = config('vocations_amount');
 $vocationId = null;
 if($vocation !== 'all') {
 	foreach($configVocations as $id => $name) {
 		if(strtolower($name) == $vocation) {
 			$vocationId = $id;
-			$filterVocations = [$id];
+			$add_vocs = [$id];
-			while($tmpVoc = Vocations::getPromoted($id)) {
+			if ($id !== 0) {
-				$id = $tmpVoc;
+				$i = $id + $configVocationsAmount;
-				$filterVocations[] = $tmpVoc;
+				while (isset($configVocations[$i])) {
 					$add_vocs[] = $i;
 					$i += $configVocationsAmount;
 				}
 			}
-			$query->whereIn('players.vocation', $filterVocations);
+			$query->whereIn('players.vocation', $add_vocs);
 			break;
 		}
 	}
@@ -322,5 +325,4 @@ $twig->display('highscores.html.twig', [
 	'page' => $page,
 	'baseLink' => $baseLink,
 	'updatedAt' => $updatedAt,
 	'baseVocations' => Vocations::getBase(true),
 ]);
--- a/system/pages/online.php
+++ b/system/pages/online.php
@@ -12,7 +12,6 @@
 use MyAAC\Cache\Cache;
 use MyAAC\Models\ServerConfig;
 use MyAAC\Models\ServerRecord;
 use MyAAC\Server\XML\Vocations;
 defined('MYAAC') or die('Direct access not allowed!');
 $title = 'Who is online?';
@@ -57,14 +56,15 @@ $cached = Cache::remember("online_$order", setting('core.online_cache_ttl') * 60
 	$vocations = array_map(function ($name) {
 		return 0;
-	}, config('vocations'));
+	}, setting('core.vocations'));
 	if($db->hasTable('players_online')) // tfs 1.0
 		$playersOnline = $db->query('SELECT `accounts`.`country`, `players`.`name`, `players`.`level`, `players`.`vocation`' . $outfit . ', `' . $skull_time . '` as `skulltime`, `' . $skull_type . '` as `skull` FROM `accounts`, `players`, `players_online` WHERE `players`.`id` = `players_online`.`player_id` AND `accounts`.`id` = `players`.`account_id`  ORDER BY ' . $orderSql);
 	else
 		$playersOnline = $db->query('SELECT `accounts`.`country`, `players`.`name`, `players`.`level`, `players`.`vocation`' . $outfit . ', ' . $promotion . ' `' . $skull_time . '` as `skulltime`, `' . $skull_type . '` as `skull` FROM `accounts`, `players` WHERE `players`.`online` > 0 AND `accounts`.`id` = `players`.`account_id`  ORDER BY ' . $orderSql);
-	$configVocations = config('vocations');
+	$settingVocations = setting('core.vocations');
 	$settingVocationsAmount = setting('core.vocations_amount');
 	$players = [];
 	foreach($playersOnline as $player) {
@@ -81,19 +81,22 @@ $cached = Cache::remember("online_$order", setting('core.online_cache_ttl') * 60
 			}
 		}
-		$player['vocation'] = OTS_Toolbox::getVocationFromPromotion($player['vocation'], $player['promotion'] ?? 0);
+		if(isset($player['promotion'])) {
 			if((int)$player['promotion'] > 0)
 				$player['vocation'] += ($player['promotion'] * $settingVocationsAmount);
 		}
 		$players[] = array(
 			'name' => getPlayerLink($player['name']),
 			'player' => $player,
 			'level' => $player['level'],
-			'vocation' => $configVocations[$player['vocation']],
+			'vocation' => $settingVocations[$player['vocation']],
 			'skull' => $skull,
 			'country_image' => getFlagImage($player['country']),
 			'outfit' => setting('core.outfit_images_url') . '?id=' . $player['looktype'] . ($outfit_addons ? '&addons=' . $player['lookaddons'] : '') . '&head=' . $player['lookhead'] . '&body=' . $player['lookbody'] . '&legs=' . $player['looklegs'] . '&feet=' . $player['lookfeet'],
 		);
-		$vocations[Vocations::getOriginal($player['vocation'])]++;
+		$vocations[($player['vocation'] > $settingVocationsAmount ? $player['vocation'] - $settingVocationsAmount : $player['vocation'])]++;
 	}
 	$record = '';
@@ -139,7 +142,6 @@ $twig->display('online.html.twig', array(
 	'vocations' => $cached['vocations'],
 	'vocs' => $cached['vocations'], // deprecated, to be removed
 	'order' => $order,
 	'baseVocations' => Vocations::getBase(false),
 ));
 // search bar
--- a/system/router.php
+++ b/system/router.php
@@ -8,7 +8,6 @@
 * @link      https://my-aac.org
 */
 use MyAAC\Models\Menu;
 use MyAAC\Models\Pages;
 use MyAAC\Plugins;
@@ -332,20 +331,7 @@ else {
 	}
 }
-$tmpPageOriginal = $page;
+if (!$found) {
 $pagesWithDynamicPart = ['characters', 'forum', 'highscores', 'monsters'];
 foreach ($pagesWithDynamicPart as $_page) {
 	if (str_contains($page, $_page)) {
 		$tmpPageOriginal = $_page;
 	}
 }
 $themeMenu = Menu::select(['name'])
 	->where('template', $template_name)
 	->where('link', $tmpPageOriginal)
 	->where('access', '>', $logged_access);
 if (!$found || $themeMenu->count() >= 1) {
 	$page = '404';
 	$file = SYSTEM . 'pages/404.php';
 }
--- a/system/settings.php
+++ b/system/settings.php
@@ -219,14 +219,7 @@ return [
 		'cache_engine' => [
 			'name' => 'Cache Engine',
 			'type' => 'options',
-			'options' => [
+			'options' => ['auto' => 'Auto', 'file' => 'Files', 'apc' => 'APC', 'apcu' => 'APCu', 'disable' => 'Disable'],
 				'auto' => 'Auto',
 				'file' => 'Files',
 				'apc' => 'APC',
 				'apcu' => 'APCu',
 				'php' => 'PHP',
 				'disable' => 'Disable',
 			],
 			'desc' => 'Auto is most reasonable. It will detect the best cache engine',
 			'default' => 'auto',
 			'is_config' => true,
@@ -341,31 +334,20 @@ return [
 				},
 			],
 		],
 		/**
 		 * @deprecated
 		 * To be removed in v3.0
 		 */
 		'vocations_amount' => [
-			'hidden' => true,
+			'name' => 'Vocations Amount',
 			'type' => 'number',
-			//'name' => 'Vocations Amount',
+			'desc' => 'How much basic vocations your server got (without promotion)',
 			//'desc' => 'How many basic vocations your server got (without promotion)',
 			'default' => 4,
 			'callbacks' => [
 				'get' => function () {
 					return config('vocations_amount');
 				},
 			],
 		],
 		'vocations' => [
-			'hidden' => true,
+			'name' => 'Vocation Names',
 			'type' => 'textarea',
-			//'name' => 'Vocation Names',
+			'desc' => 'Separated by comma. Must be in the same order as in vocations.xml, starting with id: 0.',
 			//'desc' => 'Separated by comma. Must be in the same order as in vocations.xml, starting with id: 0.',
 			'default' => 'None, Sorcerer, Druid, Paladin, Knight, Master Sorcerer, Elder Druid,Royal Paladin, Elite Knight',
 			'callbacks' => [
-				'get' => function () {
+				'get' => function ($value) {
-					return config('vocations');
+					return array_map('trim', explode(',', $value));
 				},
 			],
 		],
@@ -1744,18 +1726,6 @@ Sent by MyAAC,<br/>
 				'account_login_ipban_protection', '=', 'true'
 			]
 		],
 		[
 			'type' => 'section',
 			'title' => 'Cooldowns',
 		],
 		'account_create_ip_block_cooldown' => [
 			'name' => 'Create Account IP Block Cooldown',
 			'type' => 'number',
 			'desc' => 'Block flooding create account per ip. If you still have a problem with account create spam - then its recommended to install the recaptcha plugin.' .
 				'<br/><strong>In minutes.</strong> 0 to disable.',
 			'default' => 10,
 		],
 	],
 	'callbacks' => [
 		'beforeSave' => function(&$settings, &$values) {
--- a/system/src/Cache/APC.php
+++ b/system/src/Cache/APC.php
@@ -13,8 +13,8 @@ namespace MyAAC\Cache;
 class APC
 {
-	private string $prefix;
+	private $prefix;
-	private bool $enabled;
+	private $enabled;
 	public function __construct($prefix = '')
 	{
@@ -22,14 +22,14 @@ class APC
 		$this->enabled = function_exists('apc_fetch');
 	}
-	public function set($key, $var, $ttl = 0): void
+	public function set($key, $var, $ttl = 0)
 	{
 		$key = $this->prefix . $key;
 		apc_delete($key);
 		apc_store($key, $var, $ttl);
 	}
-	public function get($key): string
+	public function get($key)
 	{
 		$tmp = '';
 		if ($this->fetch($this->prefix . $key, $tmp)) {
@@ -39,15 +39,18 @@ class APC
 		return '';
 	}
-	public function fetch($key, &$var): bool {
+	public function fetch($key, &$var)
 	{
 		return ($var = apc_fetch($this->prefix . $key)) !== false;
 	}
-	public function delete($key): void {
+	public function delete($key)
 	{
 		apc_delete($this->prefix . $key);
 	}
-	public function enabled(): bool {
+	public function enabled()
 	{
 		return $this->enabled;
 	}
 }
--- a/system/src/Cache/APCu.php
+++ b/system/src/Cache/APCu.php
@@ -13,8 +13,8 @@ namespace MyAAC\Cache;
 class APCu
 {
-	private string $prefix;
+	private $prefix;
-	private bool $enabled;
+	private $enabled;
 	public function __construct($prefix = '')
 	{
@@ -22,14 +22,14 @@ class APCu
 		$this->enabled = function_exists('apcu_fetch');
 	}
-	public function set($key, $var, $ttl = 0): void
+	public function set($key, $var, $ttl = 0)
 	{
 		$key = $this->prefix . $key;
 		apcu_delete($key);
 		apcu_store($key, $var, $ttl);
 	}
-	public function get($key): string
+	public function get($key)
 	{
 		$tmp = '';
 		if ($this->fetch($this->prefix . $key, $tmp)) {
@@ -39,15 +39,18 @@ class APCu
 		return '';
 	}
-	public function fetch($key, &$var): bool {
+	public function fetch($key, &$var)
 	{
 		return ($var = apcu_fetch($this->prefix . $key)) !== false;
 	}
-	public function delete($key): void {
+	public function delete($key)
 	{
 		apcu_delete($this->prefix . $key);
 	}
-	public function enabled(): bool {
+	public function enabled()
 	{
 		return $this->enabled;
 	}
 }
--- a/system/src/Cache/Cache.php
+++ b/system/src/Cache/Cache.php
@@ -47,15 +47,35 @@ class Cache
 			return self::$instance;
 		}
-		self::$instance = match (strtolower($engine)) {
+		switch (strtolower($engine)) {
-			'apc' => new APC($prefix),
+			case 'apc':
-			'apcu' => new APCu($prefix),
+				self::$instance = new APC($prefix);
-			'xcache' => new XCache($prefix),
+				break;
-			'file' => new File($prefix, CACHE),
+
-			'php' => new PHP($prefix, CACHE),
+			case 'apcu':
-			'auto' => self::generateInstance(self::detect(), $prefix),
+				self::$instance = new APCu($prefix);
-			default => new self(),
+				break;
-		};
+
 			case 'xcache':
 				self::$instance = new XCache($prefix);
 				break;
 			case 'file':
 				self::$instance = new File($prefix, CACHE);
 				break;
 			case 'php':
 				self::$instance = new PHP($prefix, CACHE);
 				break;
 			case 'auto':
 				self::$instance = self::generateInstance(self::detect(), $prefix);
 				break;
 			default:
 				self::$instance = new self();
 				break;
 		}
 		return self::$instance;
 	}
@@ -63,7 +83,7 @@ class Cache
 	/**
 	 * @return string
 	 */
-	public static function detect(): string
+	public static function detect()
 	{
 		if (function_exists('apc_fetch'))
 			return 'apc';
@@ -78,7 +98,8 @@ class Cache
 	/**
 	 * @return bool
 	 */
-	public function enabled(): bool {
+	public function enabled()
 	{
 		return false;
 	}
--- a/system/src/Cache/File.php
+++ b/system/src/Cache/File.php
@@ -12,22 +12,18 @@ namespace MyAAC\Cache;
 class File
 {
-	private string $prefix;
+	private $prefix;
-	private string $dir;
+	private $dir;
-	private bool $enabled;
+	private $enabled;
 	public function __construct($prefix = '', $dir = '')
 	{
 		$this->prefix = $prefix;
 		$this->dir = $dir;
 		ensureFolderExists($this->dir);
 		ensureIndexExists($this->dir);
 		$this->enabled = (file_exists($this->dir) && is_dir($this->dir) && is_writable($this->dir));
 	}
-	public function set($key, $var, $ttl = 0): void
+	public function set($key, $var, $ttl = 0)
 	{
 		$file = $this->_name($key);
 		file_put_contents($file, $var);
@@ -39,7 +35,7 @@ class File
 		touch($file, time() + $ttl);
 	}
-	public function get($key): string
+	public function get($key)
 	{
 		$tmp = '';
 		if ($this->fetch($key, $tmp)) {
@@ -49,7 +45,7 @@ class File
 		return '';
 	}
-	public function fetch($key, &$var): bool
+	public function fetch($key, &$var)
 	{
 		$file = $this->_name($key);
 		if (!file_exists($file) || filemtime($file) < time()) {
@@ -60,7 +56,7 @@ class File
 		return true;
 	}
-	public function delete($key): void
+	public function delete($key)
 	{
 		$file = $this->_name($key);
 		if (file_exists($file)) {
@@ -68,11 +64,13 @@ class File
 		}
 	}
-	public function enabled(): bool {
+	public function enabled()
 	{
 		return $this->enabled;
 	}
-	private function _name($key): string {
+	private function _name($key)
 	{
 		return sprintf('%s%s%s', $this->dir, $this->prefix, sha1($key));
 	}
 }
--- a/system/src/Cache/PHP.php
+++ b/system/src/Cache/PHP.php
@@ -12,37 +12,36 @@ namespace MyAAC\Cache;
 class PHP
 {
-	private string $prefix;
+	private $prefix;
-	private string $dir;
+	private $dir;
-	private bool $enabled;
+	private $enabled;
 	public function __construct($prefix = '', $dir = '')
 	{
 		$this->prefix = $prefix;
 		$this->dir = $dir;
 		$this->enabled = (file_exists($this->dir) && is_dir($this->dir) && is_writable($this->dir));
 	}
 	public function set($key, $var, $ttl = 0)
 	{
 		$var = var_export($var, true);
 		ensureFolderExists($this->dir);
 		ensureIndexExists($this->dir);
-		$this->enabled = (file_exists($this->dir) && is_dir($this->dir) && is_writable($this->dir));
+		// Write to temp file first to ensure atomicity
-	}
+		$tmp = $this->dir . "tmp_$key." . uniqid('', true) . '.tmp';
 		file_put_contents($tmp, '<?php $var = ' . $var . ';', LOCK_EX);
-	public function set($key, $var, $ttl = 0): void
+		$file = $this->_name($key);
-	{
+		rename($tmp, $file);
 		$var = var_export($var, true);
 		if ($ttl === 0) {
 			$ttl = 365 * 24 * 60 * 60; // 365 days
 		}
-		$expires = time() + $ttl;
+		touch($file, time() + $ttl);
 		// Write to temp file first to ensure atomicity
 		$tmp = $this->dir . "tmp_$key." . uniqid('', true) . '.tmp';
 		file_put_contents($tmp, "<?php return ['expires' => $expires, 'var' => $var];", LOCK_EX);
 		$file = $this->_name($key);
 		rename($tmp, $file);
 	}
 	public function get($key)
@@ -55,23 +54,19 @@ class PHP
 		return '';
 	}
-	public function fetch($key, &$var): bool
+	public function fetch($key, &$var)
 	{
 		$file = $this->_name($key);
-		if (!file_exists($file)) {
+		if (!file_exists($file) || filemtime($file) < time()) {
 			return false;
 		}
-		$content = include $file;
+		@include $file;
-		if (!isset($content) || $content['expires'] < time()) {
+		$var = isset($var) ? $var : null;
 			return false;
 		}
 		$var = $content['var'];
 		return true;
 	}
-	public function delete($key): void
+	public function delete($key)
 	{
 		$file = $this->_name($key);
 		if (file_exists($file)) {
@@ -79,11 +74,13 @@ class PHP
 		}
 	}
-	public function enabled(): bool {
+	public function enabled()
 	{
 		return $this->enabled;
 	}
-	private function _name($key): string {
+	private function _name($key)
 	{
 		return sprintf('%s%s%s', $this->dir, $this->prefix, sha1($key) . '.php');
 	}
 }
--- a/system/src/Cache/XCache.php
+++ b/system/src/Cache/XCache.php
@@ -13,8 +13,8 @@ namespace MyAAC\Cache;
 class XCache
 {
-	private string $prefix;
+	private $prefix;
-	private bool $enabled;
+	private $enabled;
 	public function __construct($prefix = '')
 	{
@@ -22,14 +22,14 @@ class XCache
 		$this->enabled = function_exists('xcache_get') && ini_get('xcache.var_size');
 	}
-	public function set($key, $var, $ttl = 0): void
+	public function set($key, $var, $ttl = 0)
 	{
 		$key = $this->prefix . $key;
 		xcache_unset($key);
 		xcache_set($key, $var, $ttl);
 	}
-	public function get($key): string
+	public function get($key)
 	{
 		$tmp = '';
 		if ($this->fetch($this->prefix . $key, $tmp)) {
@@ -39,7 +39,7 @@ class XCache
 		return '';
 	}
-	public function fetch($key, &$var): bool
+	public function fetch($key, &$var)
 	{
 		$key = $this->prefix . $key;
 		if (!xcache_isset($key)) {
@@ -50,11 +50,13 @@ class XCache
 		return true;
 	}
-	public function delete($key): void {
+	public function delete($key)
 	{
 		xcache_unset($this->prefix . $key);
 	}
-	public function enabled(): bool {
+	public function enabled()
 	{
 		return $this->enabled;
 	}
 }
--- a/system/src/Commands/GiveAdminCommand.php
+++ b/system/src/Commands/GiveAdminCommand.php
@@ -39,7 +39,7 @@ class GiveAdminCommand extends Command
 		}
 		if (!$account->isLoaded()) {
-			$io->error('Cannot find account mit supplied parameter: ' . $accountParam);
+			$io->error('Cannot find account with supplied parameter: ' . $accountParam);
 			return self::FAILURE;
 		}
--- a/system/src/CreateCharacter.php
+++ b/system/src/CreateCharacter.php
@@ -149,10 +149,7 @@ class CreateCharacter
 		if($db->hasColumn('players', 'direction'))
 			$player->setDirection($playerSample->getDirection());
-		if($db->hasColumn('players', 'conditions')) {
+		$player->setConditions($playerSample->getConditions());
 			$player->setConditions($playerSample->getConditions());
 		}
 		$rank = $playerSample->getRank();
 		if($rank->isLoaded()) {
 			$player->setRank($playerSample->getRank());
@@ -186,11 +183,7 @@ class CreateCharacter
 		$player->setLookHead($playerSample->getLookHead());
 		$player->setLookLegs($playerSample->getLookLegs());
 		$player->setLookType($playerSample->getLookType());
-
+		$player->setCap($playerSample->getCap());
 		if($db->hasColumn('players', 'cap')) {
 			$player->setCap($playerSample->getCap());
 		}
 		$player->setBalance(0);
 		$player->setPosX(0);
 		$player->setPosY(0);
--- a/system/src/Models/AccountAction.php
+++ b/system/src/Models/AccountAction.php
@@ -9,6 +9,6 @@ class AccountAction extends Model {
 	public $timestamps = false;
-	protected $fillable = ['account_id', 'ip', 'date', 'action'];
+	protected $fillable = ['account_id', 'ip', 'ipv6', 'date', 'action'];
 }
--- a/system/src/Models/AccountEMailCode.php
+++ b/system/src/Models/AccountEMailCode.php
@@ -1,14 +0,0 @@
 <?php
 namespace MyAAC\Models;
 use Illuminate\Database\Eloquent\Model;
 class AccountEMailCode extends Model {
 	protected $table = TABLE_PREFIX . 'account_email_codes';
 	public $timestamps = false;
 	protected $fillable = ['account_id', 'code', 'created_at'];
 }
--- a/system/src/Models/Gallery.php
+++ b/system/src/Models/Gallery.php
@@ -0,0 +1,18 @@
 <?php
 namespace MyAAC\Models;
 use Illuminate\Database\Eloquent\Model;
 class Gallery extends Model {
 	protected $table = TABLE_PREFIX . 'gallery';
 	public $timestamps = false;
 	protected $fillable = [
 		'comment', 'image', 'thumb',
 		'author', 'ordering', 'hide',
 	];
 }
--- a/system/src/Models/Menu.php
+++ b/system/src/Models/Menu.php
@@ -9,6 +9,6 @@ class Menu extends Model {
 	public $timestamps = false;
-	protected $fillable = ['template', 'name', 'link', 'access', 'blank', 'color', 'category', 'ordering', 'enabled'];
+	protected $fillable = ['template', 'name', 'link', 'blank', 'color', 'category', 'ordering', 'enabled'];
 }
--- a/system/src/Models/Player.php
+++ b/system/src/Models/Player.php
@@ -23,8 +23,6 @@ class Player extends Model {
 	public $timestamps = false;
 	protected $guarded = [];
 	protected $casts = [
 		'worldid' => 'integer',
 		'sex' => 'integer',
@@ -48,8 +46,14 @@ class Player extends Model {
 		});
 	}
-	public function getVocationNameAttribute() {
+	public function getVocationNameAttribute()
-		return \OTS_Toolbox::getVocationName($this->vocation, $this->promotion ?? 0);
+	{
 		$vocation = $this->vocation;
 		if (isset($this->promotion) && $this->promotion > 0) {
 			$vocation += ($this->promotion * setting('core.vocations_amount'));
 		}
 		return config('vocations')[$vocation] ?? 'Unknown';
 	}
 	public function getIsDeletedAttribute()
--- a/system/src/Server/XML/Vocations.php
+++ b/system/src/Server/XML/Vocations.php
@@ -1,101 +0,0 @@
 <?php
 namespace MyAAC\Server\XML;
 use MyAAC\Cache\Cache;
 class Vocations
 {
 	private static array $vocations;
 	private static array $vocationsFrom;
 	public function __construct()
 	{
 		$cached = Cache::remember('vocations', 10 * 60, function () {
 			$this->load();
 			$from = $this->getFrom();
 			$amount = 0;
 			foreach ($from as $vocId => $fromVocation) {
 				if ($vocId != 0 && $vocId == $fromVocation) {
 					$amount++;
 				}
 			}
 			return ['vocations' => $this->get(), 'vocationsFrom' => $from, 'amount' => $amount];
 		});
 		self::$vocations = $cached['vocations'];
 		self::$vocationsFrom = $cached['vocationsFrom'];
 		config(['vocations', self::$vocations]);
 		config(['vocations_amount', $cached['amount']]);
 	}
 	public function load(): void
 	{
 		if(!class_exists('DOMDocument')) {
 			throw new \RuntimeException('Please install PHP xml extension. MyAAC will not work without it.');
 		}
 		$vocationsXML = new \DOMDocument();
 		$file = config('data_path') . 'XML/vocations.xml';
 		if(!@file_exists($file)) {
 			$file = config('data_path') . 'vocations.xml';
 		}
 		if(!$vocationsXML->load($file)) {
 			throw new \RuntimeException('ERROR: Cannot load <i>vocations.xml</i> - the file is malformed. Check the file with xml syntax validator.');
 		}
 		foreach($vocationsXML->getElementsByTagName('vocation') as $vocation) {
 			$id = $vocation->getAttribute('id');
 			self::$vocations[$id] = $vocation->getAttribute('name');
 			$fromVocation = (int) $vocation->getAttribute('fromvoc');
 			self::$vocationsFrom[$id] = $fromVocation;
 		}
 	}
 	public static function get(): array {
 		return self::$vocations;
 	}
 	public static function getFrom(): array {
 		return self::$vocationsFrom;
 	}
 	public static function getPromoted(int $id): ?int {
 		foreach (self::$vocationsFrom as $vocId => $fromVocation) {
 			if ($id == $fromVocation && $vocId != $id) {
 				return $vocId;
 			}
 		}
 		return null;
 	}
 	public static function getOriginal(int $id): ?int {
 		while ($tmpId = self::$vocationsFrom[$id]) {
 			if ($tmpId == $id) {
 				break;
 			}
 			$id = $tmpId;
 		}
 		return $id;
 	}
 	public static function getBase($includingRook = true): array {
 		$vocations = [];
 		foreach (self::$vocationsFrom as $vocId => $fromVoc) {
 			if ($vocId == $fromVoc && ($vocId != 0 || $includingRook)) {
 				$vocations[] = $vocId;
 			}
 		}
 		return $vocations;
 	}
 }
--- a/system/src/Settings.php
+++ b/system/src/Settings.php
@@ -152,10 +152,9 @@ class Settings implements \ArrayAccess
 				}
 				if ($setting['type'] === 'category') {
 					$title = strtolower(str_replace(' ', '', $setting['title']));
 					?>
 					<li class="nav-item">
-						<a class="nav-link<?= ($i === 0 ? ' active' : ''); ?>" id="home-tab-<?= $i++; ?>" data-toggle="tab" href="#tab-<?= $title; ?>" type="button"><?= $setting['title']; ?></a>
+						<a class="nav-link<?= ($i === 0 ? ' active' : ''); ?>" id="home-tab-<?= $i++; ?>" data-toggle="tab" href="#tab-<?= str_replace(' ', '', $setting['title']); ?>" type="button"><?= $setting['title']; ?></a>
 					</li>
 					<?php
 				}
@@ -176,10 +175,8 @@ class Settings implements \ArrayAccess
 					if ($j++ !== 0) { // close previous category
 						echo '</tbody></table></div>';
 					}
 					$title = strtolower(str_replace(' ', '', $setting['title']));
 				?>
-				<div class="tab-pane fade show<?= ($j === 1 ? ' active' : ''); ?>" id="tab-<?= $title; ?>">
+				<div class="tab-pane fade show<?= ($j === 1 ? ' active' : ''); ?>" id="tab-<?= str_replace(' ', '', $setting['title']); ?>">
 					<?php
 					continue;
 				}
--- a/system/src/TwoFactorAuth/Gateway/AppAuthGateway.php
+++ b/system/src/TwoFactorAuth/Gateway/AppAuthGateway.php
@@ -1,19 +0,0 @@
 <?php
 namespace MyAAC\TwoFactorAuth\Gateway;
 use MyAAC\TwoFactorAuth\Interface\AuthGatewayInterface;
 use OTPHP\TOTP;
 class AppAuthGateway extends BaseAuthGateway implements AuthGatewayInterface
 {
 	public function verifyCode(string $code): bool
 	{
 		$otp = TOTP::createFromSecret($this->account->getCustomField('secret'));
 		$otp->setLabel($this->account->getEmail());
 		$otp->setIssuer(configLua('serverName'));
 		return $otp->verify($code);
 	}
 }
--- a/system/src/TwoFactorAuth/Gateway/BaseAuthGateway.php
+++ b/system/src/TwoFactorAuth/Gateway/BaseAuthGateway.php
@@ -1,12 +0,0 @@
 <?php
 namespace MyAAC\TwoFactorAuth\Gateway;
 class BaseAuthGateway
 {
 	protected \OTS_Account $account;
 	public function __construct(\OTS_Account $account) {
 		$this->account = $account;
 	}
 }
--- a/system/src/TwoFactorAuth/Gateway/EmailAuthGateway.php
+++ b/system/src/TwoFactorAuth/Gateway/EmailAuthGateway.php
@@ -1,16 +0,0 @@
 <?php
 namespace MyAAC\TwoFactorAuth\Gateway;
 use MyAAC\Models\AccountEMailCode;
 use MyAAC\TwoFactorAuth\Interface\AuthGatewayInterface;
 use MyAAC\TwoFactorAuth\TwoFactorAuth;
 class EmailAuthGateway extends BaseAuthGateway implements AuthGatewayInterface
 {
 	public function verifyCode(string $code): bool
 	{
 		return AccountEMailCode::where('account_id', '=', $this->account->getId())->where('code', $code)->where('created_at', '>', time() - TwoFactorAuth::EMAIL_CODE_VALID_UNTIL)->first() !== null;
 	}
 }
--- a/system/src/TwoFactorAuth/Interface/AuthGatewayInterface.php
+++ b/system/src/TwoFactorAuth/Interface/AuthGatewayInterface.php
@@ -1,9 +0,0 @@
 <?php
 namespace MyAAC\TwoFactorAuth\Interface;
 interface AuthGatewayInterface
 {
 	public function __construct(\OTS_Account $account);
 	public function verifyCode(string $code): bool;
 }
--- a/system/src/TwoFactorAuth/TwoFactorAuth.php
+++ b/system/src/TwoFactorAuth/TwoFactorAuth.php
@@ -1,270 +0,0 @@
 <?php
 namespace MyAAC\TwoFactorAuth;
 use MyAAC\Models\AccountEMailCode;
 use MyAAC\TwoFactorAuth\Gateway\AppAuthGateway;
 use MyAAC\TwoFactorAuth\Gateway\EmailAuthGateway;
 use OTPHP\TOTP;
 class TwoFactorAuth
 {
 	const TYPE_NONE = 0;
 	const TYPE_EMAIL = 1;
 	const TYPE_APP = 2;
 	// maybe later
 	//const TYPE_SMS = 3;
 	const EMAIL_CODE_VALID_UNTIL = 24 * 60 * 60;
 	private static self $instance;
 	private \OTS_Account $account;
 	private int $authType;
 	private EmailAuthGateway|AppAuthGateway $authGateway;
 	public function __construct(\OTS_Account|int $account) {
 		if (is_int($account)) {
 			$this->account = new \OTS_Account();
 			$this->account->load($account);
 		}
 		else {
 			$this->account = $account;
 		}
 		$this->authType = (int)$this->account->getCustomField('2fa_type');
 		$this->setAuthGateway($this->authType);
 	}
 	public static function getInstance($account = null): self
 	{
 		if (!isset(self::$instance)) {
 			self::$instance = new self($account);
 		}
 		return self::$instance;
 	}
 	public function process($login_account, $login_password, $remember_me, $code): bool
 	{
 		global $twig;
 		if (!$this->isActive()) {
 			return true;
 		}
 		$view = 'app';
 		if ($this->authType == self::TYPE_EMAIL) {
 			$view = 'email';#
 		}
 		if (empty($code)) {
 			if ($this->authType == self::TYPE_EMAIL) {
 				if (!$this->hasRecentEmailCode(15 * 60)) {
 					$this->resendEmailCode();
 				}
 			}
 			define('HIDE_LOGIN_BOX', true);
 			$twig->display("account/2fa/$view/login.html.twig", [
 				'account_login' => $login_account,
 				'password_login' => $login_password,
 				'remember_me' => $remember_me,
 			]);
 			return false;
 		}
 		if ($this->getAuthGateway()->verifyCode($code)) {
 			if ($this->authType === self::TYPE_EMAIL) {
 				$this->deleteOldCodes();
 			}
 			return true;
 		}
 		if (setting('core.mail_enabled')) {
 			$mailBody = $twig->render('mail.account.2fa.email-code.wrong-attempt.html.twig');
 			if (!_mail($this->account->getEMail(), configLua('serverName') . ' - Failed Two-Factor Authentication Attempt', $mailBody)) {
 				error('An error occurred while sending email. For Admin: More info can be found in system/logs/mailer-error.log');
 			}
 		}
 		define('HIDE_LOGIN_BOX', true);
 		if ($this->authType == self::TYPE_APP) {
 			$errors[] = 'The token is invalid!';
 		}
 		else {
 			$errors[] = 'Invalid E-Mail code!';
 		}
 		$twig->display('error_box.html.twig', ['errors' => $errors]);
 		$twig->display("account/2fa/$view/login.html.twig",
 			[
 				'account_login' => $login_account,
 				'password_login' => $login_password,
 				'remember_me' => $remember_me,
 				'wrongCode' => true,
 			]);
 		return false;
 	}
 	public function processClientLogin($code, string &$error, &$errorCode): bool
 	{
 		if (!$this->isActive()) {
 			return true;
 		}
 		if ($this->authType == self::TYPE_EMAIL) {
 			$errorCode = 8;
 		}
 		if ($code === false) {
 			$error = 'Submit a valid two-factor authentication token.';
 			if ($this->authType == self::TYPE_EMAIL) {
 				if (!$this->hasRecentEmailCode(15 * 60)) {
 					$this->resendEmailCode();
 				}
 			}
 			return false;
 		}
 		if (!$this->getAuthGateway()->verifyCode($code)) {
 			$error = 'Two-factor authentication failed, token is wrong.';
 			return false;
 		}
 		if ($this->authType === self::TYPE_EMAIL) {
 			$this->deleteOldCodes();
 		}
 		return true;
 	}
 	public function setAuthGateway(int $authType): void
 	{
 		if ($authType === self::TYPE_EMAIL) {
 			$this->authGateway = new EmailAuthGateway($this->account);
 		}
 		else if ($authType === self::TYPE_APP) {
 			$this->authGateway = new AppAuthGateway($this->account);
 		}
 	}
 	public function getAccountManageViews(): array
 	{
 		if ($this->authType == self::TYPE_EMAIL) {
 			$twoFactorView = 'account/2fa/main.protected.html.twig';
 			$twoFactorView2 = 'account/2fa/email/manage.connected.html.twig';
 		}
 		elseif ($this->authType == self::TYPE_APP) {
 			$twoFactorView = 'account/2fa/app/manage.connected.html.twig';
 			$twoFactorView2 = 'account/2fa/main.protected.html.twig';
 		}
 		else {
 			$twoFactorView = 'account/2fa/app/manage.enable.html.twig';
 			$twoFactorView2 = 'account/2fa/email/manage.enable.html.twig';
 		}
 		return [$twoFactorView, $twoFactorView2];
 	}
 	public function enable(int $type): void {
 		$this->account->setCustomField('2fa_type', $type);
 	}
 	public function disable(): void
 	{
 		global $db;
 		$this->account->setCustomField('2fa_type', self::TYPE_NONE);
 		if ($db->hasColumn('accounts', 'secret')) {
 			$this->account->setCustomField('secret', null);
 		}
 		$this->account->setCustomField('2fa_secret', '');
 	}
 	public function isActive(?int $authType = null): bool {
 		if ($authType !== null) {
 			return $this->authType === $authType;
 		}
 		return $this->authType != self::TYPE_NONE;
 	}
 	public function getAuthType(): int {
 		return $this->authType;
 	}
 	public function getAuthGateway(): AppAuthGateway|EmailAuthGateway  {
 		return $this->authGateway;
 	}
 	public function hasRecentEmailCode($since = self::EMAIL_CODE_VALID_UNTIL): bool {
 		return AccountEMailCode::where('account_id', '=', $this->account->getId())->where('created_at', '>', time() - $since)->first() !== null;
 	}
 	public function deleteOldCodes(): void {
 		AccountEMailCode::where('account_id', '=', $this->account->getId())->delete();
 	}
 	public function appInitTOTP(string $secret): TOTP
 	{
 		$otp = TOTP::createFromSecret($secret);
 		$otp->setLabel($this->account->getEmail());
 		$otp->setIssuer(configLua('serverName'));
 		return $otp;
 	}
 	public function appDisplayEnable(string $secret, ?TOTP $otp = null, array $errors = []): void
 	{
 		global $twig;
 		if ($otp === null) {
 			$otp = $this->appInitTOTP($secret);
 		}
 		$grCodeUri = $otp->getQrCodeUri(
 			'https://api.qrserver.com/v1/create-qr-code/?data=[DATA]&size=200x200&ecc=M',
 			'[DATA]'
 		);
 		$twig->display('account/2fa/app/enable.html.twig', [
 			'grCodeUri' => $grCodeUri,
 			'secret' => $secret,
 			'errors' => $errors,
 		]);
 	}
 	public function resendEmailCode(): void
 	{
 		global $twig;
 		$newCode = generateRandomString(6, true, false, true);
 		AccountEMailCode::create([
 			'account_id' => $this->account->getId(),
 			'code' => $newCode,
 			'created_at' => time(),
 		]);
 		$mailBody = $twig->render('mail.account.2fa.email-code.html.twig', [
 			'code' => $newCode,
 		]);
 		if (!_mail($this->account->getEMail(), configLua('serverName') . ' - Requested Authentication Email Code', $mailBody)) {
 			error('An error occurred while sending email. For Admin: More info can be found in system/logs/mailer-error.log');
 		}
 	}
 }
--- a/system/src/Validator.php
+++ b/system/src/Validator.php
@@ -183,7 +183,7 @@ class Validator
 			return false;
 		}
-		// installer doesn't know config.php yet
+		// installer doesn't know settings yet
 		// that's why we need to ignore the nulls
 		if(defined('MYAAC_INSTALL')) {
 			$minLength = 4;
@@ -207,21 +207,15 @@ class Validator
 			return false;
 		}
-		if(strspn($name, "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM- [ ] '") != $length)
+		if(strspn($name, "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM ") != $length)
 		{
-			self::$lastError = "Invalid name format. Use only A-Z, spaces and '.";
+			self::$lastError = "This name contains invalid letters. Please use only A-Z, a-z and space!";
 			return false;
 		}
 		if(preg_match('/ {2,}/', $name))
 		{
-			self::$lastError = 'Invalid character name format. Use only A-Z and no double spaces.';
+			self::$lastError = 'Invalid character name format. Use only A-Z, a-z and no double spaces.';
 			return false;
 		}
 		if(!preg_match("/[A-z ']/", $name))
 		{
 			self::$lastError = "Invalid name format. Use only A-Z, spaces and '.";
 			return false;
 		}
@@ -230,17 +224,23 @@ class Validator
 	/**
 	 * Validate new character name.
-	 * Name lenght must be 3-25 chars
+	 * Name length must be 3-25 chars
 	 *
 	 * @param  string $name Name to check
 	 * @return bool Is name valid?
 	 */
 	public static function newCharacterName($name)
 	{
-		global $db, $config;
+		global $db;
 		$name = trim($name);
 		$name_lower = strtolower($name);
 		if(strlen($name) < 1) {
 			self::$lastError = 'Please enter a name.';
 			return false;
 		}
 		$first_words_blocked = array_merge(["'", '-'], setting('core.create_character_name_blocked_prefix'));
 		foreach($first_words_blocked as $word) {
 			if($word == substr($name_lower, 0, strlen($word))) {
@@ -249,11 +249,6 @@ class Validator
 			}
 		}
 		if(str_ends_with($name_lower, "'") || str_ends_with($name_lower, "-")) {
 			self::$lastError = 'Your name contains illegal characters.';
 			return false;
 		}
 		if(substr($name_lower, 1, 1) == ' ') {
 			self::$lastError = 'Your name contains illegal space.';
 			return false;
@@ -265,11 +260,36 @@ class Validator
 		}
 		if(preg_match('/ {2,}/', $name)) {
-			self::$lastError = 'Invalid character name format. Use only A-Z and numbers 0-9 and no double spaces.';
+			self::$lastError = 'Invalid character name format. Use only A-Z and no double spaces.';
 			return false;
 		}
-		if(strtolower($config['lua']['serverName']) == $name_lower) {
+		if (substr($name[0], 0, 1) !== strtoupper(substr($name[0], 0, 1))) {
 			self::$lastError = 'The first letter of a name has to be a capital letter.';
 			return false;
 		}
 		foreach (explode(' ', $name) as $word) {
 			$wordCut = substr($word, 1, strlen($word));
 			$hasUpperCase = preg_match('/[A-Z]/', $wordCut);
 			if ($hasUpperCase) {
 				self::$lastError = 'In names capital letters are only allowed at the beginning of a word.';
 				return false;
 			}
 			if (strlen($word) == 1) {
 				self::$lastError = 'This name contains a word with only one letter. Please use more than one letter for each word.';
 				return false;
 			}
 			$hasVowel = preg_match('/[aeiouAEIOU]/', $word);
 			if (!$hasVowel) {
 				self::$lastError = 'This name contains a word without vowels. Please choose another name.';
 				return false;
 			}
 		}
 		if(strtolower(configLua('serverName')) == $name_lower) {
 			self::$lastError = 'Your name cannot be same as server name.';
 			return false;
 		}
--- a/system/src/global.php
+++ b/system/src/global.php
@@ -69,15 +69,6 @@ define('HOOK_ACCOUNT_LOGIN_AFTER_PASSWORD', ++$i);
 define('HOOK_ACCOUNT_LOGIN_AFTER_REMEMBER_ME', ++$i);
 define('HOOK_ACCOUNT_LOGIN_AFTER_PAGE', ++$i);
 define('HOOK_ACCOUNT_LOGIN_POST', ++$i);
 define('HOOK_ACCOUNT_LOGIN_PRE', ++$i);
 define('HOOK_ACCOUNT_LOST_CHECK_CODE_FINISH_AFTER_PASSWORD', ++$i);
 define('HOOK_ACCOUNT_LOST_CHECK_CODE_FINISH_AFTER_PASSWORD_REPEAT', ++$i);
 define('HOOK_ACCOUNT_LOST_EMAIL_SET_NEW_PASSWORD_POST', ++$i);
 define('HOOK_ACCOUNT_LOST_RECOVERY_KEY_STEP_2_AFTER_CHARACTER', ++$i);
 define('HOOK_ACCOUNT_LOST_RECOVERY_KEY_STEP_2_AFTER_EMAIL', ++$i);
 define('HOOK_ACCOUNT_LOST_RECOVERY_KEY_STEP_2_AFTER_PASSWORD', ++$i);
 define('HOOK_ACCOUNT_LOST_RECOVERY_KEY_STEP_2_AFTER_PASSWORD_REPEAT', ++$i);
 define('HOOK_ACCOUNT_LOST_RECOVERY_KEY_STEP_3_POST', ++$i);
 define('HOOK_ACCOUNT_CREATE_CHARACTER_AFTER', ++$i);
 define('HOOK_ACCOUNT_CREATE_CHARACTER_BEFORE_FIRST_TABLE', ++$i);
 define('HOOK_ACCOUNT_CREATE_CHARACTER_BEFORE_VOCATIONS', ++$i);
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
slawkens	0413de85b5	Release v1.8.9	2026-04-06 12:23:42 +02:00
Slawomir Boczek	dd97a749b4	Better name validation, like in the original game website (#356 ) * Better name validation, like in the original game website * Don't automatically ucfirst and strtolower the cases of the word * This allows for names like: Lord of Ring, Man of the Earth etc. * Don't allow special characters like: -, [], ' * Don't allow one letter words * Require at least one vowel per word * Add notice about admin logged in * Add trim, for future Currently its stripped anyway in the init.php, but AI don't know it :P Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Implement AI recommended changes * Update tools/validate.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Trim $name * Update Validator.php --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-04-06 10:41:29 +02:00
slawkens	4ae2fdd0df	Add page load time to admin panel	2026-03-15 13:02:22 +01:00
slawkens	2bf5f5a1db	Update GiveAdminCommand.php	2026-02-26 16:46:13 +01:00
slawkens	5fcde4708a	Install: don't suggest deleting of install folder It is not needed Instead just remove ip.txt, this will lock the installation	2026-02-24 21:04:20 +01:00
slawkens	f15b0122c6	Nothing important, code style & grammar	2026-02-24 20:35:20 +01:00
slawkens	4eb7f48fd7	Update discord link	2026-02-24 20:13:42 +01:00
dependabot[bot]	c82e537dc7	Bump qs from 6.14.1 to 6.14.2 (#353 ) Bumps [qs](https://github.com/ljharb/qs) from 6.14.1 to 6.14.2. - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](https://github.com/ljharb/qs/compare/v6.14.1...v6.14.2) --- updated-dependencies: - dependency-name: qs dependency-version: 6.14.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-02-15 01:23:24 +01:00
slawkens	8b10f85bc1	Start v1.8.9-dev	2026-02-04 18:37:03 +01:00