You could generate a hash in your iPhone application that gets passed along with the other query strain parameters. The hash should include a “key” (or “shared secret”) that’s only known by the web server and the iPhone application as well as one or more of the query string parameters that are passed.

The PHP script that will receive the information can then regenerate the hash since it knows the “key”. If the “key” matches the one in the query string, the request is valid and came from an iPhone, otherwise it didn’t.

Update: To prevent someone from using the same query string to request the same information over and over again, you can add an “expiry” timestamp to the query string and hash and check that the request hasn’t expired if the hash is valid.

I can’t provide an Objective-C but your PHP script could look like this:

<?php

$hash = md5('SHAREDSECRET'.$_REQUEST['expiry'].$_REQUEST['param1'].$_REQUEST['param2']);

if ( $hash != $_REQUEST['$hash'] || time() > $_REQUEST['expiry'] )
  die('Invalid request.');

// Some additional code here for valid requests.

?>

Based on the example above, you’d want the iPhone application to create an MD5 hash of the shared secret (“SHAREDSECRET” in this case), “param1”, and “param2” and include it in the request to the PHP file.

The URL that the iPhone requests should look like this:

http://example.org/file.php?hash=value&expiry=timestamp&param1=value&param2=value

Of course the “key” itself wouldn’t be passed in the query string making it difficult for someone to figure out how to get to your information (unless it through the iPhone app of course).