If you have tested the latest addition to the labs (see: New lab added: Live Mail), you would have noticed that there is a captcha (human verification) used to protect against bots creating e-mail addresses for worldwide domination. I could have created my own captcha in PHP, but I decided to use reCAPTCHA.

What’s so special about reCAPTCHA? Well in addition to protecting your registration, comments page, e-mail address, or wiki, it also helps the Internet Archive with it’s project of scanning old books for reading and archiving. Every time you use reCAPTCHA for verification, you’re helping to correct a word that was scanned into a computer but could not be read correctly by that system’s OCR (Optical Character Recognition) software.

If you’re interested in helping out a great site like the Internet Archive, I’d suggest checking this out. reCAPTCHA is compatible with various development languages and web applications such as WordPress.

Today, after much work to convert my code that relied on Neowin’s backbone to help control the system, I have added my system which ties into Windows Live Custom Domains (see: Windows Live Custom Domains Is Cool) and allows you to create a custom e-mail account that is powered by Windows Live Mail.

This registration application gives you the chance to see how you can integrate Windows Live Mail into your site by giving your visitors an e-mail address that has some relation to your domain. At Neowin we provide a variety of domain name choices for members and some exclusive ones for subscribers. All of our e-mail domains have the Neowin name in them and provide recognition of our site to the users who exchange messages with these e-mail address.

If you don’t want to invest resources into running a full e-mail server but want to offer extra site service, Custom Domains is the way to go.

Feel free to give the Live Mail registration a try at the labs site: Live Mail @ blackice912 labs

The above article, courtesy of IBM, is a good read if you’re looking at using a framework to support your coding ventures. It’s a lengthy read and gets a bit technical, but I recommend it.

Read the article

While I am not a big video posting person, I was made aware about the open source FLV player through a colleague of mine that had customized the style of the player. Had it not been for the information obtained when you right clicked on it I would have been fooled into thinking he wrote it from scratch.

This player, designed by Trent Tompkins, is a very easy way for those of us who aren’t Flash designers to get our content out there while making the wrapper (player) around our content look good at the same time.

As a test, I recorded a short clip, converted it into a FLV file, and uploaded it onto this site. Below are the results:

The video may have been a little dark (my fault, poor lighting) and a little spooky, but it took me a few seconds to make the video, a few more to convert it, and no more than a minute to upload and add the code above!

So for those of you who are looking into dipping your toes into video content publishing, I advise you take a look at this excellent player.

I am a big fan of Windows Live Custom Domains (WLCD). Microsoft’s custom service is basically a way for you to offer members of your website a custom e-mail address that identifies them as users of your website. It can also be setup so only you can hog it all to yourself and share with nobody, but what’s the fun in that?

WLCD allows for three methods of e-mail address registration: Open, Manual, and SOAP.

With Open registration you can create a link on your site to a form hosted by Microsoft that walks the user through the creation of an e-mail account.

With Manual registration your domain is locked down. This means that nobody can create any e-mail addresses except for you inside of the admin panel. There is no real advantage to this unless you only plan to setup a few e-mail accounts.

With the Simple Object Access Protocol (SOAP), you have the power at your fingertips. By locking your domain name down to prevent open registration, you can have your users sign up through your SOAP-based registration page. This method gives you a great deal of power on who you want to give registration access to and what domain names you want to offer them.

Above: Neowin's WLCD registration page using SOAP as the backend

Since we are communicating with Microsoft’s service using the XML commands they have designed, we can build a complete e-mail management system around that tool. Over at Neowin I designed the system so you have to be a registered member of the site in order to have access to a Neowin e-mail account. Also, depending on your membership level, there are various domain names to pick from.

Once a user fills out the form and submits it, our code connects to the Microsoft servers and pushes the XML request for account creation. If the server replies that the account has been created, we inform the user and instruct them on how to proceed next. In the code I wrote for Neowin there is also a local database where we keep track of the e-mail accounts created, as we are limiting one account per user. If a user were to try and register again, they would be blocked.

So, what’s a good way to do this in PHP? For Neowin I am using NuSOAP. It is a script that helps you to build your XML queries and process the returned ones. Also by looking at the website it looks like the project is dead based on the last updated news entry, but the download page shows it was last updated in November. Do you need NuSOAP? No, as it is completely possible to perform all the XML processing yourself. In a few cases I actually had to write custom XML as NuSOAP wasn’t sending the data correctly.

So if you’re in the market for a service to provide to your users, check out Windows Live Custom Domains.

Alternatives

So what if you are not a fan of the Windows Live services and want to go for an alternative, such as Gmail? Because while WLCD is free, the Gmail counterpart is going to cost you $50/year per e-mail account (unless you fall under the Educational rules). Why Google decided to charge for their API is beyond reason, but it puts access out of reach for the average website administrator/developer.

The Apache module mod_rewrite is one of those things that many people don’t use or don’t know how to use properly. It not only helps your website with Search Engine Optimization (SEO), but makes your overall site look cleaner. Wordpress has built in support for mod_rewrite and I am taking advantage of it here, but it’s also something I’ve started using full time with any coding projects I take part in.

First lets look at a sample implementation of mod_rewrite. In this example we are imagining our .htaccess file is located in the root of our public html folder:

1. <IfModule mod_rewrite.c>
2. RewriteEngine on
3. RewriteRule Pattern Substitute
4. RewriteRule ^folder-a/([a-z.0-9]+)$ hidden-a/image/$1
5. RewriteRule ^about$ modules/plugins/index.php?mod=about
6. RewriteRule ^folder-c/([0-9]+)$ hidden-c/?id=$1
7. </IfModule>

Lets start with lines 1 and 7: While you probably don’t need these if you’re going to run the script on your site only and not distribute it, it’s best to include them as a habit anyways in case you do develop a script you want to give away.

Next we get to lines 2 and 3: Line 2 basically tells mod_rewrite to turn on while line 3 tells it we will be doing pattern substitution (replace X with Y). Nothing we really need to worry about.

Lines 4, 5, and 6 are where the fun begins. Right off you see that each line begins with RewriteRule, which tells mod_rewrite that this line contains URL modification commands. The next part always starts with ^ and ends with $ (like a container). The data contained in this part is basically our “if ($X = $Y), then grab data from $Z” line. The final part is our $Z line, as we are grabbing the actual data from the location mentioned in this part. A more detailed explanation follows.

PART A	    PART B		    PART C

RewriteRule ^folder-a/([a-z.0-9]+)$ hidden-a/image/$1

In line 4 we are telling the system to look for calls to folder-a and anything after it that contains a lowercase a through z, a period, and the numbers 0 through 9. If these parameters match, load the actual data located at hiddena/image/$1, but replace the $1 with the information that came after folder-a. So as an example: If your user requests http://yoursite.com/folder-a/foo.jpg, your site is going to return http://yoursite.com/hidden-a/image/foo.jpg. As this all happens server side, your URL stays nice and clean.

In line 5, we have a very basic example. If someone loads the about directory on your site, it automatically returns modules/plugins/index.php?mod=about. This is a nice way to hide those ugly variables and long URLs. Wouldn’t you rather have http://yoursite.com/about rather than http://yoursite.com/modules/plugins/index.php?mod=about? Some may argue that such an example is over stretching things a bit, but the point is getting across.

Line 6 is a lot like line 4. If something after folder-c matches the numbers 0 through 9, grab the data from hidden-c/?id=$1 and replace $1 with the numbers we grabbed after folder-c.

So mod_rewrite is a great way to have clean URLs. Can it also improve your script security? To a point, yes. Now as I mentioned above earlier, I am really just a beginner to mod_rewrite — I’ve only been using it less than a week. However so far I have not found a way to find out the true URL of a script that is hiding behind mod_rewrite. I know a few sites that use it and the only way I have been able to find the true URL was to have direct access over SFTP. Because of this advantage, you can use mod_rewrite to help secure input validation. By no means am I suggesting you should depend on mod_rewrite to validate all variables passed through the URL, but every extra bit helps.

Lets look at like 6 as an example. In this line I am telling the code to only pass information along to my hidden-c folder if the data after folder-c is a number. It doesn’t matter how long or short the number is, it just has to be a number. If someone were going to attempt a SQL injection attack, mod_rewrite would not pass the data along as the conditions in the string would not match what we have setup.

I hope that helped some of you better understand mod_rewrite. For more detailed information, please check out this full document on the mod_rewrite feature.