Ok, so I want to send AJAX requests to my website from my Flash games to process data, but I don't want people downloading them, decompiling them, then sending fake requests to be processed, so I'm trying to figure out the most secure way to process in the PHP files. My first idea was to use Apache's built in Authorization module to require a username and password to access the pages on a separate subdomain of my website, but then you'd have to include that username and password in the AJAX request anyway so that seems kind of pointless to even try.

My current option looks pretty promising but I want to make sure it will work. Basically it just checks the IP address being sent using REMOTE_ADDR to make sure it's the IP address that my server runs on.

<?
$allowed = new Array("64.120.211.89", "64.120.211.90");
if (!in_array($_SERVER['REMOTE_ADDR'], $allowed)) header("HTTP/1.1 403 Forbidden");
?>

Both of those IP addresses point to my server. Things I'm worried about:

1) If I send a request from Flash/ActionScript, will that affect the IP address in any way?

2) Is it possible for malicious users to change the IP address that is being sent with REMOTE_ADDR to one of my IP addresses?

Any other ways you would suggest that might be more secure?