to protect files that are not php files, they should be uploaded to the server in a location that connot be access directly through a web address. On a shared server, you will most likely have problems with this, but most hosts will allow you to store files below the httpdocs directory on a dedicated server to prevent direct access.