I would think that would suffice. Does anyone here think that it would still be a security risk? The only thing I could see still being a problem is that someone could still manually enter the directory URL into their browser for access to the files.

Don't do that. Put the flat file above the web root. I'm not sure of your hosting environment, but most linux set ups allow you to access files above the web root with your scripts.

If there is no way to do that in your situation, then yes, block them with your script since it is already written. But also, change the file perms so only your scripts can access it, and use .htaccess to block access to those files from everybody except your scripts and/or the owner of the files.

HI
I have benn working with a similiar script and i have solved this security issue doing a 'string replace' to the url:

str_replace('..','',$requested_url);

It works like a charm.

;)

If you need to now something about security, read this books:

http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0470857447.html

or

http://www.amazon.co.uk/Architects-Guide-Security-Step-step/dp/0973862106/ref=sr_1_2?ie=UTF8&s=books&qid=1232831903&sr=8-2

or

http://phpsec.org/projects/guide/