g1smd - 8:18 pm on Oct 12, 2012 (gmt 0)
The REQUEST_URI pointer is modified (updated) by an internal rewrite.
Your rule that blocks access must test THE_REQUEST so that only external requests for .php are rejected.
The rule that blocks access must be listed before the internal rewrite rule.
If you omit the required leading slash before $1 in the rewrite, you leave your server wide open to "path injection" attacks.