deny direct access to a folder and file by htaccess

This is pure mod_rewrite based solution:

RewriteRule ^(includes/|submit\.php) - [F,L,NC]

This will show forbidden error to use if URI contains either /includes/ or /submit.php

I would just move the includes folder out of the web-root, but if you want to block direct access to the whole includes folder, you can put a .htaccess file in that folder that contains just:

deny from all

That way you cannot open any file from that folder, but you can include them in php without any problems.