Disallowing directory browsing is done using server settings. Simply placing a default file in the directory would stop most people, but some browsers or software would probably still allow listings.
The simplest way to stop refresh from adding another query would be to use post instead of get. Other than that, you can check stuff server side like whether it already exists or not. I think you might be able to use the server variable 'HTTP_REFERER' to make sure it came from the correct page. If the user can come form multiple places, instead of checking to make sure they came from a certain page, check to make sure they don't come from a url that includes the get values that input data.