Don't use referrer ever.

If only your site makes use of these files, then use the internal "include" function to access these files.

That access does not use HTTP, so you can therefore use .htpasswd access control to keep all other people out.

Alternatively, you could use a "deny from all" directive in .htaccess to stop all external access.

You could also rewrite all external URL requests for that folder to a non-existent internal filepath.

Any one of those three solutions would work.

To explain the "Don't use referrer, ever" statement above: Referrers can easily be spoofed. They are also often suppressed by the client's internet security software. Requests coming through network proxies such as those used by AOL, EarthLink, other big ISPs, and many corporations will also have no referrer. Because of this, the first RewriteCond in your code is required, because otherwise all of these accesses would be blocked, even if the AOL/EarthLink/corporate user actually was being referred by the correct page.

However, since many of your PHP files may be sub-scripts included by other scripts, those sub-scripts need not be Web-accessible, because as g1smd points out, they are included by other scripts solely inside your server, using *file* includes, not HTTP fetches.

Hopefully, that clarifies things. If this explanation does not seem to address your actual requirements, then the likely solution to "protecting" your PHP file(s) is to use cookies. Set a cookie on the Web page(s) which are "authorized" to fetch the .php URL(s), and then check the cookie before allowing those fetches. RewriteCond can test the %{HTTP_COOKIE} variable for this purpose.

While cookies can be stolen and/or spoofed as well, this is certainly more difficult than spoofing a referrer -- Referrer spoofing is something that many Webmaster add-on toolbars can do.

Jim