Today, after much work to convert my code that relied on Neowin’s backbone to help control the system, I have added my system which ties into Windows Live Custom Domains (see: Windows Live Custom Domains Is Cool) and allows you to create a custom e-mail account that is powered by Windows Live Mail.

This registration application gives you the chance to see how you can integrate Windows Live Mail into your site by giving your visitors an e-mail address that has some relation to your domain. At Neowin we provide a variety of domain name choices for members and some exclusive ones for subscribers. All of our e-mail domains have the Neowin name in them and provide recognition of our site to the users who exchange messages with these e-mail address.

If you don’t want to invest resources into running a full e-mail server but want to offer extra site service, Custom Domains is the way to go.

Feel free to give the Live Mail registration a try at the labs site: Live Mail @ blackice912 labs

The Apache module mod_rewrite is one of those things that many people don’t use or don’t know how to use properly. It not only helps your website with Search Engine Optimization (SEO), but makes your overall site look cleaner. Wordpress has built in support for mod_rewrite and I am taking advantage of it here, but it’s also something I’ve started using full time with any coding projects I take part in.

First lets look at a sample implementation of mod_rewrite. In this example we are imagining our .htaccess file is located in the root of our public html folder:

1. <IfModule mod_rewrite.c>
2. RewriteEngine on
3. RewriteRule Pattern Substitute
4. RewriteRule ^folder-a/([a-z.0-9]+)$ hidden-a/image/$1
5. RewriteRule ^about$ modules/plugins/index.php?mod=about
6. RewriteRule ^folder-c/([0-9]+)$ hidden-c/?id=$1
7. </IfModule>

Lets start with lines 1 and 7: While you probably don’t need these if you’re going to run the script on your site only and not distribute it, it’s best to include them as a habit anyways in case you do develop a script you want to give away.

Next we get to lines 2 and 3: Line 2 basically tells mod_rewrite to turn on while line 3 tells it we will be doing pattern substitution (replace X with Y). Nothing we really need to worry about.

Lines 4, 5, and 6 are where the fun begins. Right off you see that each line begins with RewriteRule, which tells mod_rewrite that this line contains URL modification commands. The next part always starts with ^ and ends with $ (like a container). The data contained in this part is basically our “if ($X = $Y), then grab data from $Z” line. The final part is our $Z line, as we are grabbing the actual data from the location mentioned in this part. A more detailed explanation follows.

PART A	    PART B		    PART C

RewriteRule ^folder-a/([a-z.0-9]+)$ hidden-a/image/$1

In line 4 we are telling the system to look for calls to folder-a and anything after it that contains a lowercase a through z, a period, and the numbers 0 through 9. If these parameters match, load the actual data located at hiddena/image/$1, but replace the $1 with the information that came after folder-a. So as an example: If your user requests http://yoursite.com/folder-a/foo.jpg, your site is going to return http://yoursite.com/hidden-a/image/foo.jpg. As this all happens server side, your URL stays nice and clean.

In line 5, we have a very basic example. If someone loads the about directory on your site, it automatically returns modules/plugins/index.php?mod=about. This is a nice way to hide those ugly variables and long URLs. Wouldn’t you rather have http://yoursite.com/about rather than http://yoursite.com/modules/plugins/index.php?mod=about? Some may argue that such an example is over stretching things a bit, but the point is getting across.

Line 6 is a lot like line 4. If something after folder-c matches the numbers 0 through 9, grab the data from hidden-c/?id=$1 and replace $1 with the numbers we grabbed after folder-c.

So mod_rewrite is a great way to have clean URLs. Can it also improve your script security? To a point, yes. Now as I mentioned above earlier, I am really just a beginner to mod_rewrite — I’ve only been using it less than a week. However so far I have not found a way to find out the true URL of a script that is hiding behind mod_rewrite. I know a few sites that use it and the only way I have been able to find the true URL was to have direct access over SFTP. Because of this advantage, you can use mod_rewrite to help secure input validation. By no means am I suggesting you should depend on mod_rewrite to validate all variables passed through the URL, but every extra bit helps.

Lets look at like 6 as an example. In this line I am telling the code to only pass information along to my hidden-c folder if the data after folder-c is a number. It doesn’t matter how long or short the number is, it just has to be a number. If someone were going to attempt a SQL injection attack, mod_rewrite would not pass the data along as the conditions in the string would not match what we have setup.

I hope that helped some of you better understand mod_rewrite. For more detailed information, please check out this full document on the mod_rewrite feature.