In that case I suggest that it is best to restrict access in the PHP code.
You detect where the visitor came from and then terminate the script with an error message such as:
if ($_SERVER['HTTP_REFERER'] != 'allowed place') die ("Access Denied!");
Now that I think about it, using PHP would require me to modify the shopping cart software. The modifications would end up being be removed after updates. I figure if I use .htaccess I wouldn't have to keep adding the code back after updates. I still haven't ruled it out as an option, though, if it works best.
You guys are the best for helping! I'll try the .htaccess suggestions and see what happens.