Have a look at http://www.datatrendsoftware.com/spoof.html. As you can see, it's quite easy to fake the HTTP_REFERER variable. You should also be aware that HTTP_REFERER will not be set if someone types in the URL of your script - it will only exist if they've followed a link. Some browsers do not even send this information anyway. Therefore I think you should modify your script to allow access if HTTP_REFERER is undefined.

Sorry for being a bit negative, but by using this system you do stand a good chance of blocking authorised access while not really offering much protection against unauthorised people using your scripts.

JJ