There is another method for this floating around the internet, but I (and several others) have had very limited success.

After trying quite a few different things, I came up with the method below. It works perfect for me every time, unlike the other method out there.

UPDATE

: The newer versions of the Palm Desktop software seem to install properly on XP 64 with no issues, so try that first before you follow the steps below.

Instructions

1) Start > Run > msiexec /unregister

2) In regedit, find the following key:
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer

3) Change MsiExecCA64
From this: C:\WINDOWS\system32\msiexec.exe
To this: C:\WINDOWS\SysWOW64\msiexec.exe

(This assumes a default Windows directory.
Change to reflect your configuration if needed.)

4) Restart the Windows Installer service
(Control Panel > Administrative Tools > Services)

5) Install Palm Desktop!

To go back to the previous settings, just reverse the change made in the registry, and stop/start the service again.

You can also set it back to normal by re-registering the installer:
Start > Run > msiexec /unregister
Start > Run > msiexec /register

Conclusion

I cannot claim any responsibility if you make a mistake and corrupt your system. To play it safe, make sure you have system restore enabled, so you can easily go back if there is a problem.

Let me know how it works for you!

Notice

If you are using iTunes 8.1 or newer, there is now a built-in feature to designate regular mp3 files as audiobooks, so these instructions are not needed.

Before you begin

For best results, you should not upload audiobooks that are larger than 320MB or longer than 5 hours. This can cause playback and stability problems. If you have files larger than this, splitting them up into smaller parts is recommended.

Most audiobooks that you download will be in multiple files. I personally like combining these into a single file so I do not have to remember which file I am listening to. It also keeps the audiobooks menu on my iPod much easier to read. I simply let the iPod remember my position in the audiobook when I come back to it. It is just personal preference.

Most audiobooks will be far less than 320MB and 5 hours long, so if you want, you can combine your MP3s into a single file before you begin. MP3 Merger is a great freeware program.

Configuring iTunes

Before you convert the files, iTunes must be set properly. You should only have to do this once. In the iTunes menu (I am using version 6), select the following:

Edit > Preferences > Advanced > Importing

Make sure “Import Using” is set as “AAC Encoder“.

Change “Setting” to “Custom” and set the following options:

Bit Rate: 64kbs (this is a nice average setting for most audiobooks)
Channels: Stereo (fixes an issue with homemade mono files on some iPods)
Check “Optimize for Voice“

Instructions

Add the files you want to convert to your library. Once they are there, select the file(s), right-click, and select “Convert Selection to AAC“. This will add the newly converted files to your library.

Once the conversion is complete, remove the original files from your library. They will no longer be needed for this process.

You can also remove the newly created files from your library, but when you are asked, be sure to select “Keep Files“, so they are not deleted off your hard drive.

The files are created under “My Documents\My Music\iTunes\iTunes Music” (unless you told iTunes otherwise), so open up that folder.

You will notice that the new files have the .m4a extension. They must be renamed to .m4b.

Now that the files are renamed, you can add them to your iTunes library once again.

Right-click on the new file(s) in your library and select “Get Info“.

You can change the name of the file(s) on this screen. If you like, you can clear out the “artist” and “album” fields, so that they do not show up with the rest of your music on the iPod (when you are looking at albums or artists). They will still show up under “audiobooks” of course.

You can also change the genre of the files to “Audiobooks” using the iTunes tag editor, to make the files easier to find when looking through iTunes.

All you have to do now is add the files to your iPod. They should work just like any iTunes audiobook. They will show up under the “Audiobooks” menu on your iPod, your playback position will be remembered, and they will not get played during song shuffles.

Conclusion

I take no responsibility if you mess anything up, but as long as you follow these steps, it should work fine.

I have a fourth generation iPod. While this method works great for me, I cannot promise that it will work for all revisions.

Securing your variables

In most versions of PHP, you can access the value of a variable before it is initialized. Consider this simple example:

if ($password == $the_password) {
    $logged_in = 1;
}
if ($logged_in == 1) {
    // secure stuff
}

All a visitor has to do is add ?logged_in=1 to the end of the URL and they will have access. While this may seem obvious, it is an extremely common problem with PHP scripts.

The best way to prevent this is to always make sure variables are declared before they are used. For this example, you can just add the following line at the top of the file:

$logged_in = 0;

Now the variable cannot be reset by a user since it is being declared before use.

Another recommendation is to enable error reporting. With the right setting, your scripts will generate an error if a variable is used before it is defined. While this might sound bothersome, it can be quite helpful for keeping things secure, since it will let you know of any variables you missed.

You can enable this for your entire server with a line in php.ini:

error_reporting = E_ALL

To enable this for a particular PHP script, just add this to the top of the file:

error_reporting(E_ALL);

If you do enable error reporting in your php.ini, but need it bypassed for a particular script, you can use this in your file:

error_reporting(0);

Variables passed to the script

On most servers, a visitor can put a variable in the URL which then gets turned into a variable in the script. There will be many times when you need information passed to the script in this manner, but only if you are asking for it. That is where the superglobals come in.

There are two superglobals which you will be using most of the time. $_GET and $_POST. $_GET is used to retrieve variables passed in the URL. $_POST is used to get values from html forms. In the past, you also had $HTTP_POST and $GET_VARS but they are depreciated and should not be used. Here is an example:

$the_name = $_GET['name'];

Keep in mind however that you need to make sure the value exists in the superglobal array before you use it, or you may receive an error. Try this:

if (isset($_GET['name'])) {
    $the_name = $_GET['name'];
} else {
    $the_name = "";
}

Now that you know how to get input from the user properly, there is still the matter of someone being able to pass random variables to your script. This is easy to fix with the register_globals option of PHP.

In your php.ini file, add this line:

register_globals = Off

Or in an .htaccess file:

php_flag register_globals off

Once again, if you need to re-enable register_globals for a particular script, you can do so with an alternate .htaccess file.

With register_globals disabled, the only way you will be able to accept user input is with the superglobals. Parameters passed to the script will no longer be automatically turned into variables.

Never trust the user

No matter what kind of input you are expecting, or what it will be used for, always validate it!

Even if you have a form textfield with a max length of 10 characters, you still need to make sure that the input is the proper size, because it is easy to bypass the very basic restrictions of html forms. It is even easy to send a multi-line input into a single-line textfield if you know what you are doing.

If you are displaying user input on the page, you must convert html characters to their browser-safe versions, so that the user does not cause code to execute on your server.

If you are putting user input into a MySql query you must use regular expressions to make sure the data is in the format you want, and then escape it with mysql_real_escape_string. Otherwise it can be very easy for someone to enter in a string of characters which can do very bad things to your database.

Here is a simple function which takes user input and makes it safe to display on the page. First it replaces any special html characters with their safe character codes. Then it checks magic quotes (to see if slashes were automatically added on input), and strips them if needed.

function fix_for_page($value){
    $value = htmlspecialchars(trim($value));
    if (get_magic_quotes_gpc()) 
        $value = stripslashes($value);
    return $value;
}

Magic quotes was created to make it easier for new PHP programmers to use user input. It automatically adds slashes when needed, but the problem is that it can cause even more confusion. This is why you need to first check to see if it is enabled, and process it accordingly.

This next function takes user input and makes it safe for use in a MySql query. It does this by stripping slashes (if needed), then using the mysql_real_escape_string function.

function fix_for_mysql($value){
    if (get_magic_quotes_gpc())
        $value = stripslashes($value);
    $value = mysql_real_escape_string($value);
    return $value;
}

It is a common belief that whether you are displaying user input on the screen, or using it in a query, the characters you need to escape are the same, but this is not true. That is why there are seperate functions. If you give data to a query that has only been checked using the standard special character and escape functions, there is still a chance for an exploit. Always use the proper safeguards.

Other uses of user input

Anytime you are including a file in your script, and the filename has been given by the user, you must be very careful. Imagine having this on your page:

<a href="template.php?the_file=section1.php">Section 1</a>
<a href="template.php?the_file=section2.php">Section 2</a>
<a href="template.php?the_file=section3.php">Section 3</a>

After looking at that code, a user might try to see if they can use the script to open some other file on the server, such as a configuration file with passwords. Since such a large number of scripts are insecure, there is a good chance that they would be able to. There are some good ways to deal with this though.

If you are working with a small number of files, you can always just make sure the input matches one of the options exactly, like this:

$pages = array('section1.php', 'section2.php', 'section3.php'); 
if (in_array($the_file, $pages) ) { 
    include($the_file); 
} else { 
    die("Invalid File!"); 
} 

Now if you have a lot of files, and they share a common naming system, you can use regular expressions to make sure the specified file name fits the naming scheme.

One other solution is to create a directory which contains the files, and only let the script open files in that directory. First, be sure to strip out any extra slashes in the user input, so that way the filename cannot be referencing another directory. Then hard-code the path like so:

$filename = "/data/" . $the_file;

That is a very basic example, but you get the idea. If you do not check for extra slashes, someone could try to open something like “../../../config.php“.

It is also a good idea to always use the .php extension for included files. That way, even if one gets opened in the browser directly, the code (data, passwords, etc..) will not be visible since PHP is processed on the server side.

PHP form mailers

The most commonly exploited PHP script is perhaps the form mailer. It is very rare to find one out there that does not have security holes. Many think that because the recipient’s name is hard-coded in the script, there is no way to use it to send mail to other people. This is completely false!

The most common way to exploit form mailers is through the injection of alternate email headers. Here is a very simple example. Imagine someone typing this in for the email subject:

Buy My Stuff!\\nBcc: someone_getting_spammed@domain.com

As you can see, a new header was injected into the message, causing a copy of the email to go somewhere else. Once again, this is an extremely simple example, as there are many other ways to inject email headers. Now that you are aware of the problem, you can take steps to fix it.

By now you know to always validate your data. After that step, you can do a simple check on your fields to make sure multiple lines were not added. Try this:

$from = $_POST["sender"];
if (eregi("\\r",$from) || eregi("\\n",$from)) {
    die("Invalid Input!");
}

You will need to perform this check on all of the fields (except the actual message). This is just one method. If you wanted, you could also strip out any colons from the fields since they are needed for headers.

You only really need to worry about this on your Name, Email, Subject, etc.. fields. The message itself is not as important (assuming you are using the mail function properly) since it is not put in the headers, but rather below them.

One alternative would be to have a field for the message and that’s it. Then no headers could get injected. Or you could still have the fields, but instead of putting the user input in the headers, it could just put it in the message itself.

There is much more to say about form mailer scripts, but that is all I will cover here. I will soon be writing an article focusing completely on PHP form mailers, which will include my personal script.

Conclusion

That concludes the first part of this article. Questions and/or comments are welcome!

Major Update! – The previous method on this site would only let you add new ringtones by replacing ones you already had on your phone. This means you would have to use the vision service at least once to get some uploaded. The solution has finally been discovered, and now you can upload new ringtones without having to replace old ones! This means you can upload ringtones without having to have any already on the phone!

Page Contents

• Introduction – What does this tutorial explain?
• Tools Needed – Programs you will need to upload your ringtones
• USB Drivers – NEW! USB drivers for Samsung phones
• Creating a ringtone from a MIDI file using GCDCreator
• Creating a ringtone from a WAV or MP3 file
• Uploading the ringtone to your phone
• Comments – Questions? Comments? Ask!

Introduction

This document describes the process of adding ringtones to your Samsung VGA1000 / SPH-A620 phone without using the Spring Vision service. These instructions will allow you to add new ringtones, instead of having to replace ones you already have (as in the previous versions of this tutorial). And unlike the previous method, this will also show the correct song name in your phone.

Tools needed

• BitPim – http://bitpim.sourceforge.net/
  Bitpim is a great open-source program which allows you to transfer files between your phone and computer. It actually has a built-in ringtone transfer feature, but it (like the rest of the features) does not work on every phone. Currently it does not support the VGA1000 / SPH-A620 which is why you are reading this! Luckily, the program does allow you to view and edit the file system of this phone. You also must have the appropriate cable to communicate with your phone. For BitPim related questions, check out their web site.
• phaZed’s GCDCreator v1.1.0 – http://www.sprintusers.com/downloads/gcdcreator/
  GCDCreator has a couple of useful features. First, it allows you to generate GCD files which are sort of like description files for objects on your phone. It lets the phone know what kind of file it has. The other notable feature of GCDCreator is its ability to convert a (properly formatted) WAV file into a QCP. The VGA1000 / SPH-A620 supports two types of ringtones. MIDI files (the same that your computer will play), and QCP, which is a low quality WAV. You can experiment with different songs to find ones that work well on your phone.
• Hexplorer – http://artemis.wszib.edu.pl/~mdudek/
  Any hex-editor will work, but I personally like this one.
• Winamp and/or a sound editor
  You only need these if you plan to create a ringtone from a WAV, MP3, or other audio file besides MIDI.

USB Drivers

The following file contains the drivers for the Samsung A310, A530, A600, A620, A660, and a few other models, but this tutorial only covers the A620/VGA1000. You will need this driver so Windows will recognize your phone as a USB device, although most cables come with drivers already.

Download Samsung_USB_Drivers.rar

Creating a ringtone from a MIDI file using GCDCreator

First, open GCDCreator. You will notice that the interface is broken down into steps.

Step 1

Click the “New GCD” button and select your MIDI file

Step2

‘MIDI’ should already be selected. If not, select it.

Step 3

Choose your output directory. Then fill in the information for the GCD file. Below is an example. It is best to keep the Content-Name and URL unique. If you are using the latest version of GCDCreator, it will automatically give you a unique URL. You will notice below, it is just the file name, with a forward slash.

Content-Name: The Cure – Fascination Street
Content-Version: 1.0
Content-Vendor: Dagon Design
Content-URL: /the cure – fascination street.mid

Step 4

Click the “Make GCD ” button. That’s it! You are left with the MIDI and GCD files.

Creating a ringtone from a WAV or MP3 file

If you want to create a ringtone from a WAV or MP3, or any other kind of audio file, there are a few more steps. Using your favorite sound editor, you need to convert your file to a 8000hz 16bit MONO PCM WAV. I recommend cropping your sound file as well, or it might end up being too big for your phone. For best results, use a section that sounds good repeated.

For this example. I used an MP3 I had laying around. After converting it to a WAV with Winamp’s “disk writer” feature (which can also create the correct WAV format for you), I crop the first few seconds from it with Sound Forge (a sound file editor).

Now you need to convert the WAV to QCP.

Step 1

Click the “WAV to QCP” button. Select your WAV file and click “Convert WAV”. You now have a QCP file. You can delete the WAV if you want since we are through with it.

Step 2

Now you just have to create the GCD file for your new QCP file. This process is already explained in the above section, “Creating a ringtone from a MIDI file using GCDCreator”. The only difference is that you do not select “MIDI” in the second step, but rather the “QCELP Clips” option.

You should now have a QCP and GCD file.

Uploading the ringtone to your phone

Below are the steps you must take to add your new ringtones. Please follow them in order.

Checking the current ringtones

Before you know what to name your new ringtone files, you need to look in the /ams/Ringers/ directory of your phone. Here is an example listing:

cnts1
cnts1.gcd
cnts2
cnts2.gcd

This means the next one will be number 3, so here is how you name your files:

For MIDI

rename midi_file.mid to cnts3 (no extension!)
rename midi_file.gcd to cnts3.gcd

For QCP (converted from WAV/MP3)

rename qcp_file.qcp to cnts3 (no extension!)
rename qcp_file.gcd to cnts3.gcd

We will upload them in a moment. There are a few steps first.

Saving the registry

Using the filesystem view in BitPim, browse to the /ams/ directory and find the AmsRegistry file. Right-click the file and save it to your computer. I recommend keeping a backup copy of it somewhere safe in case something goes wrong.

Editing the registry

Using Hexplorer (or your favorite hex-editor), go to address 9230. In Hexplorer you can do this from the menu at “View -> Go To Address”. You will see a two digit hex character. This represents how many applications, games, and ringers you have on your phone.

A new phone contains 2 sample applications, 3 sample games, and 0 ringers. This means the number should be 05. If you are adding two ringtones, this number should be set at 07, etc. For each ringtone you add, increase this number.

It is important to mention that this value is displayed in hexadecimal.

In hex, instead of 0 to 9, it is: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F (which equals 0-15)

So in other words: 0-15 is 00-0F … 16-31 is 10-1F … 32-47 is 20-2F …etc… Easy enough!

Once you have made the required change, save the file and exit your hex editor.

Uploading files

Once again, always perform the steps as they are listed:

• Upload the ringtone files into /ams/Ringers/
• Upload the new AmsRegistry file into /ams/ overwriting the old copy
• Delete the EndTransaction file from /ams/

Finishing

Disconnect your phone, and do a full power cycle. To do this, hold down your END button until the phone turns off. Then turn it back on. Check your Downloads section to see if your new ringers are there! If so, congratulations!

Troubleshooting

If you get a message stating that your AmsRegistry file is “locked” when trying to overwrite it, simply cycle the phones power and try again. You do not have to re-upload the ringtones if you already did this, but make sure the EndTransaction file is still gone.

If you cannot get this working, the first step is to make sure your ringtone files were created properly. This is the number one cause of problems!

Important information about deleting ringtones

If you want to delete a ringtone, do it through the phone, not through BitPim! This can cause serious problems.

Requirements

• Photoshop / ImageReady – CS2 is preferred.
• PowerDVD – You can use any DVD playback software that can capture frames, but I find this one to be the best. The instructions below are for version 5.x.
• A DVD-Rom Drive – To play the DVDs in your PC.

Instructions

Open up your DVD in PowerDVD.

In your configuration options, under “Player Settings“, click the “Advanced” button. Then select the “Snapshot” tab. Select the “Capture to file” radio button, and then choose the directory for your captures. Then exit the configuration. This is where the screen captures will be stored.

Now you can skip ahead in the movie to the scene you want to capture. Decide exactly which frame you want to start and end on. The shorter the better since animated gifs can get very large if you have a lot of frames.

Starting with the first frame, hit C to capture. Then hit T to move foward one frame. Repeat this process until you are at the end of the desired scene.

If you know ahead of time that you will end up with quite a few (several hundred) frames, you may want to only capture every other frame, or every third frame. You will just have to experiment to get the best results.

For this example, I am using a small scene from the SpongeBob SquarePants movie. I ended up capturing 27 frames. Now let’s open up ImageReady.

In the ImageReady menu, select “File” -> “Import” -> “Folder as Frames” and select the directory.

This will create a new file, where each frame is in it’s own layer. Now we need to transfer this to Photoshop. The best way is to simply click the bottom button on the main toolbar (shown in green in the image to the right). This transfers the currently active file directly to ImageReady (or back to Photoshop if you are already in ImageReady).

It is worth mentioning that you should save your files often, because you don’t want to have to start all over if you make a little mistake with the project.

Now you can crop and resize your frames. Since each frame is on its own layer, any resizing you do in photoshop will affect all the frames, which is much easier than repeating the same steps over and over, or setting up a macro. After resizing, here is my first frame (layer) from the PSD file:

If you like, you can add special effects, fonts, textures, brushes, etc. This must be done on a new layer (or layers) so that it can be applied to all of the frames in the following step. Be sure to put these new layers above the others. I created 2 new layers for this example. One for some text, and one for a border:

Now your layers list should look something like this:

There are of course several other frames down below that are not visible. Now that that’s done, click the toolbar option to transfer this back to ImageReady.

Take a look at the animation window near the bottom of ImageReady. If this is not already visible, select “Window” -> “Animation” from the menu to display it.

The far left frame is the first one in the animation. Highlight it. Now you must select (make visible) the layers you want shown on this frame. This means you want the first captured frame (the very bottom layer), and the special effects layers visible. Everything else should be hidden. (Click the little eye next to the layer to hide/unhide it).

Now move on to the second frame. The only thing you want visible for this one is the special effects stuff, and the second frame from the capture.

Just continue this process for each frame. This part can be time consuming, but depending on how everything was done, a lot of the frames will already be set properly.

Once you are through with this, you can click the play button near the bottom of the animation window. This will show you a preview of the animated gif. If you see any errors (like frames jumping in the middle), you probably did not set a frame correctly.

You can also adjust the time each frame is shown with the little drop down menus under the frame display. Or if you decide that you have too many frames, you can delete them directly from the animation window (the trash can icon).

Now go to “File” -> “Save Optimized As”, and give it a name. You now have an animated image. Here is mine:

As you can see, this is an extremely basic example and it does not look that great, but it is easy to imagine the possibilities.

Final Thoughts

To make smoother animations you can take the frames you have, duplicate them, and then reverse. For example, say your frames are numbered 1-2-3-4-5. Try using them like this: 1-2-3-4-5-4-3-2. Now there will be a smooth transition, with no big jumps each time the animation is looped. This of course depends on the specific animation in the file, but once again, you can experiment.

There are many other things you can do, but this guide is simply meant to get you started. Have fun!

An example

Once someone found a large image on my site that they thought would make a good avatar on their forum. They linked to my server for the image, and even though it was shrunk down on the forum pages, it was still downloading the full size (over 200KB). This person had a lot of posts and it was a very heavily used forum. It ended up using about 100 Megs a day of bandwidth, or about 3 Gigs a month! That was when I decided to start using hotlink prevention.

Requirements

This article covers hotlink protection for the Apache web server. If you are running IIS, much the same can be accomplished using commercial software such as ISAPI Rewrite.

You may have to contact your hosting service or just experiment to see if you are able to use the .htaccess file. The .htaccess file is simply a text file which contains directives (configuration settings) for the Apache web server. It is easy to create if you do not have one already, and it is generally located in the root directory of your server. Any settings in this file will apply to all sub-directories (unless told otherwise – more on that later).

If you prefer to use the primary Apache configuration file (httpd.conf) for your server settings, everything in this tutorial can be accomplished much the same way.

A few notes on the code

This article will cover the two main methods of hotlink prevention: Image replacement and ‘403 Forbidden’ responses. You may have seen hotlink protection code which redirects users to a specified web page, but this will most certainly not work . This is the equivalent of placing a URL into an <img> tag, and it will do nothing more than cause problems.

If you want hotlinks to take visitors to your site, it is best to simply return a ‘403 Forbidden’ response and create nice custom error pages. A standard error page will generally just cause the visitor to close the window, but a well-made custom error page can give the visitor information about the site, and links to the main sections. They will be much more likely to visit your site because of this.

Explanations of the code samples are given below, as well as some basic information on flags and other options. For a full explanation of everything you can do with the .htaccess file, I recommend taking a look at the Apache directive documentation.

Proper image replacement method

This method displays a specified image on the hotlinker’s page no matter what image they linked to. You can have a simple image which says “do not hotlink!” or you can use your imagination and really discourage them! Read further to find out the best way to create these files.

RewriteEngine on 
RewriteCond %{HTTP_REFERER} . 
RewriteCond %{HTTP_REFERER} !^http://(www\\.)?yoursite\\.com [NC] 
RewriteRule \\.(gif|jpe?g)$ /images/hotlink.$1 [L]

Breakdown of the code

RewriteEngine on

This turns on the mod_rewrite engine in Apache. A requirement for the rewrite commands.

RewriteCond %{HTTP_REFERER} .

This line allows blank referrers. The period in .htaccess means ‘any character’. This means users can manually type in a link to one of your images in their browser, but this is generally not even a problem. If you leave this line out a large percentage of visitors will not see your images. This includes many users behind corporate and ISP firewalls, all AOL users, and many others. Leaving this line in is highly recommended! If a visitor thinks your site is broken, they will most likely not return. If you have any kind of e-commerce site, they probably won’t be doing business with you!

RewriteCond %{HTTP_REFERER} !^http://(www\\.)?yoursite\\.com [NC]

Here the server checks to see if the request is coming from your own domain. Just change the text to match your website. It handles hotlink prevention whether or not the ‘www’ prefix is used. The [NC] flag at the end means ‘No Case’, so it will handle everything.

Notice that there is a backslash before the periods in the domain name. As stated above, in the .htaccess file a period means ‘any character’. Preceeding it with a backslash turns it into a literal period, meaning that there must actually be a period there. When writing .htaccess code it is always best to take all possibilities into consideration.

If you have another site that needs to hotlink from this one, simply duplicate this line and type in the new domain.

RewriteRule \\.(gif|jpe?g)$ /images/hotlink.$1 [L]

This last line blocks all requests for gif, jpg, and jpeg files unless they are from an allowed resource. You will notice the hotlink.$1 file. This code will cause the server to return the proper type of file – which is the format that was requested. A lot of hotlink protection code simply sends one type of file no matter what, but many browsers will not handle this properly, and the above method provides the most flexibility while doing things correctly.

This means that for this example we need to create a hotlink.gif, hotlink.jpg, and hotlink.jpeg. Just create your replacement image, and export it to each of the needed file types. Then just upload them to your server in the location specified by the code (in this case – /images/). You can make the replacement images as large or as small as you want, just keep in mind that if they are too large, you may end up loosing more bandwidth than you would have without protection code!

Proper ‘403 Forbidden’ method

This method is my favorite because it is the easiest on the server and no bandwidth is used at all. Once again, there are several methods to just return ‘nothing’ but generating a ‘403 Forbidden’ error for the hotlinker is perhaps the best. It will not cause any errors or confusion on your server, and the hotlinker will be left with a broken image link.

RewriteEngine on
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\\.)?yoursite\\.com [NC]
RewriteRule \\.(gif|jpe?g)$ - [NC,F]

Breakdown of the code

The last line is the only difference in these two examples, and this one just contains a dash where the image file would be. Since we are just bouncing back a ‘403 Forbidden’ error message to the hotlinker we do not have to worry about creating any image files.

As mentioned before, if the hotlinkers have simple links to your images (as opposed to images displayed with the <img> tags), clicking on the links will return a ‘403 Forbidden’ error with this method. This is what we want, but there is no reason you cannot create custom error pages which give the user information about your site and links to the main sections. This gives you a much better chance of keeping these visitors!

Changing the blocked extensions

For other extensions to be blocked, you just have to add them between the parenthesis, placing a | (pipe) character between each one. In the case of the jpg and jpeg files, there is only one entry, but the question mark after the ‘e’ means it is optional, so it handles both.

Troubleshooting

The most important thing to remember when testing hotlink protection code is that you must always clear your browser’s cache before each test, or you may just be pulling up cached copies of the test images.

Another important thing to mention is that in many server configurations, mod_rewrite requires that either the FollowSymlinks or SymLinksIfOwnerMatch option is enabled. If your server requires this and you do not have it, you will get a ‘403 Forbidden’ response for all requests. It should be easy to notice in your log files. If you do need it, simply add this line before your hotlink prevention code:

Options +FollowSymLinks

Allow selective hotlinking

There are a couple of different ways to do this. You can of course add the domain name that you want to allow into your .htaccess file as mentioned above, but what about when you have certain images you want anyone to use? Here is the solution I prefer.

Create a directory on your server called ’share’ and create a new .htaccess file inside it, containing this code:

RewriteEngine off

This will counter-act the global .htaccess file, and allow hotlinking from this directory. Now you can keep your bandwidth protected while still letting certain files be hotlinked!

Requirements

As stated above, the .htaccess file contains directives for the Apache web server. If you are running IIS then you can achieve much of the same functionality with commercial applications such as ISAPI Rewrite, but that will not be covered here.

If you are not sure what software your web server uses, or if you even have access to the .htaccess file, you can simply ask your hosting company.

Location

An .htaccess file can be placed in any directory on your web server and there is no standard limit on how many instances of it you can have. The directives in each file apply to all the files and directories beneath, unless told otherwise. This means that you can have one global .htaccess in your root directory and a separate .htaccess in a specific directory which counter-acts the global settings.

Creation

Before you create the file, it is best to check to see if you already have one on your server. If so, it may contain important code that you do not want to loose. Be sure to back it up before making changes.

Many FTP clients will hide the .htaccess file by default, so you may need to check your settings to see if there is an option to display hidden files. In Windows, I personally like using CuteFTP.

Remember that the .htaccess file is a simple text file. This means you can create it in any standard text editor such as Notepad.

If you are running the Windows operating system, you are not allowed to save a file without a prefix (the text before the period). This means you must name your file something else (such as htaccess.txt) and then rename it with your FTP client after it has been uploaded.

When uploading the .htaccess file, be sure that your FTP client is set to use ASCII (text) mode. This will prevent any formatting problems due to the transfer.

Other tips

Any line starting with a ‘#‘ (pound sign) is ignored (useful for adding comments to your code).

When I mentioned the root directory as the location for your primary .htaccess file, I am referring to the root directory for your html files. This is not necessarily the directory you start with when you connect using your FTP client. Most users will have a ‘public_html’ directory (or something similar) which is the true root of your web site.

Most .htaccess directives must be placed on a single line. If you are dealing with long lines of code, make sure word-wrap is turned off in your text editor to prevent problems.

Security

If you wish to keep your .htaccess file fully secure, I recommend using both of the following methods:

1) Add the following code into the start of your .htaccess file. It will send a ‘403 Forbidden’ response to anyone trying to access it.

<files .htaccess>
order allow,deny
deny from all
</files>

2) Be sure to set your .htaccess file to 644 (RW-R–R–) with CHMOD. This sets the proper file permissions. Many FTP clients allow you to set this in the properties of the file.

Troubleshooting

Always make sure your code is typed in properly!

It is very easy to cause problems with the .htaccess file. Even an extra character somewhere can bring down your site, or start an infinite loop. Generally this will not affect the other services (such as FTP), so you can easily get in and reverse your settings. Error logs can also be a great help when troubleshooting code.

Conclusion

Now that you know a bit more about the .htaccess file, feel free to take a look at some of the tutorials on this site that deal with its use.

If you want a fully detailed listing of all the available directives, you can check out the Apache directive documentation.

Requirements

To create custom error pages using the method below you will need to have access to your .htaccess file. If you are not familiar with this file, you can find an introduction to it on this site.

Many web hosts give you the ability to create custom error pages from an online control panel. My host supports this, but doing it manually gives you much more control.

The code

The code for custom error pages is in the following format:

ErrorDocument (3 digit error code) (path to error page)

Here is an example. This is what I generally use myself:

ErrorDocument 400 /errors/400.htm
ErrorDocument 401 /errors/401.htm
ErrorDocument 403 /errors/403.htm
ErrorDocument 404 /errors/404.htm
ErrorDocument 500 /errors/500.htm 

There are several other error codes, but these five are generally accepted as the most common ones that visitors will encounter. For a more complete list, with information on the specific errors, you can visit the World Wide Web Consortium.

In the above code, the error documents are contained in an ‘errors’ directory on my web server. You can place them anywhere you like, but it is very important that you always use relative paths to the files. This is the path relative to the root directory of your web server. It always starts with a forward slash!

Creating the pages

There is only one important rule to remember when creating your error pages – the file size. Internet Explorer (at least versions 5 and up) have problems displaying custom error pages that are less than 10 Kilobytes in size. Some people say the minimum is 512 bytes but from my own testing I find it is much better to make them at least 10 Kilobytes. That is, if you want them to always work!

A simple way to increase the size of your error pages is to add in random text in comment tags as shown below:

<!-- comments comments comments etc... -->

A few notes on content

Some web sites are configured to redirect the user back to the homepage when there is an error. While this certainly works, it is not very practical. If there is a true error occurring, then the user needs to know. It is also important because it can let people know that they need to update their links!

The goal of a good custom error page is not to hide the error message but rather to make it attractive to the viewer and easy for them to find what they are looking for. You can have a simple link to your main index, or even a full sitemap. Either way it will mean a lot more people are coming back to your site!

Testing and troubleshooting

After you have uploaded your modified .htaccess file and the custom error pages you can easily test them by trying to access a non-existent file on your web server.

For those of you who are currently using any kind of redirect or mod_rewrite code in your .htaccess file, I find that it helps to put your custom error page code before any of this. Otherwise it may have trouble displaying your pages on some servers.