Well, inside the httpd.conf (I'm going to assume we're talking apache here because that's my knowledge base, not IIS), in the intial <Directory> for this page, I would take Indexes out of the Options list. This prevents people from scanning/traversing directory trees.

As for the php, we can't see the code so we can't check!