you can define an array with all the accepted "variable" values and check if the requested variable is in that array.

Vevs

You want to make sure also they can specify only files in s small set of folders.

Otherwise, I could explore your whole site by trying things like:

variable=../../../etc/passwd

One way, is to parse the variable so the only part youn take is the last part -- passwd in the example. And then read it only from the one folder you keep user-accessible files in.

If they have some sway over the folder, then relax the above code a little.

The security issue is already taken care of in the script, so I'm not concerned about incorrect/malicious filepaths. What I want to block is when someone enters a CORRECT filepath in the address bar to try to directly access a file. I only want the file accessed by commands in my script, not via URL in the address bar.

I tried the following, but it doesn't seem to work:

if ($URI == ("http://mysite.com/page.php?variable=".$variable)) {
die("You are not authorized to view this page.");
}
else { blah, blah }

Okay, I got code that blocks the path typed in the address bar, but it also blocks access when called by the script! Here's what I've got:

if ($_SERVER['REQUEST_URI'] == ("http://mysite.com/page.php?variable=".$variable)) {
die("You are not authorized to view this page.");
}
else { //continue with script
}

I assume the server doesn't distinguish between $_SERVER['REQUEST_URI'] typed in the address bar or called from the script. Is there a different variable I can call there that ONLY applies to the URI or URL typed in the address bar?

Try using this

$_SERVER["http_referer"];

it will tell you the url which called your srcipt, so you can check if that url is of your site, worth mentioning that for security purpose it isnt that reliable.