@NogDogAug 20.2013 — #Generally you need a file-server script that will validate the user is logged in and has access to that file, and then serves up the file by reading it from disk (e.g. readfile() or from the DB if you prefer). If doing a readfile(), you can simply put the file(s) outside of the web document root directory tree, so no one can access it via HTTP (or you can have it in the web root but use .htaccess to prohibit access). You might still use a DB to record meta-data about the files, including file names, directories, and types. Then the download link would point to the file-server script, which validates the user and the input (e.g. ?file=some_id_here), and if everything is okay, use header() to set some file-type headers and such, the readfile() the desired file path-name extracted from the DB.
@rootAug 20.2013 — #You could if you don't wish to have a login scenario, you could have a database that is used to store hash keys.
The person rolls up to your website and is asked to provide an email address and if you want a pin number to access the file.
Your system generates a hash key, stores it with the email in the database.
You then have a script generate a URL using the hash key and that then gets emailed to the user.
They then get an email with the URL to the file, that download script than asks the user to validate their email and supply a pin if generated.
The download then starts.
You then have the hash tag and email deleted from the database which then renders that link useless and the person then has to provide email to get a hash key which can be as simple as the users email address + the PHP time() functions value.
Thats fine if you want to have a user log in but you need something to test it against which implies that the person visiting has an account.
The same can be achieved in Apache servers .htaccess
you can achieve the same with simple javascript but that has the vulnerability of being bypassed by browsers that don't use javascript because they either don't have it or it has been disabled.
I have been fleshing out a system which when a request for a file is made, the system asks for an email address, it generates a hash, URL and sends an email to the address and the user then clicks the link in the email and punches in the PIN number and or email address used to obtain the link and the whole thing is one time use.