You can use an authentication system, and do not present the public url to the downloader.
For example, you create a table like:
file_name | file_path | file_code
-------------------------------------------------------
My picture | /var/docs/img.jpg | kljsldjalksdqhq1218
And after the user is logged in (and meets the criteria you defined) you present him with the download link:
http://yoursite.com/index.php?page=download&file=kljsldjalksdqhq1218
Then you query the database, check the correct association, and then you read the file – which resides outside the document root btw using file_get_contents() for example and present it as an octet-stream, or another appropriate MIME for the file type, to force the file download; something along the lines of:
header('Content-Type: "'.$mime.'"');
header('Content-Disposition: attachment; filename="'.$filename.'"');
header("Content-Transfer-Encoding: binary");
header('Expires: 0');
header('Pragma: no-cache');
header("Content-Length: ".strlen($file));
2
solved stop people stealing files from site [closed]