php - Protecting files from a direct HTTP request -

let's have bunch of documents hosted on webserver don't want them retrieved direct http request, since files confidential. started encrypt filename, want take 1 step further, placing files outside /public_html folder , have php retrieve requested file folder outside /public_html?

i'm trying test little script retrieving me 0kb .pdf file wrong filename:

<?php $file = '/home/clientaccount/secretfiles/file.pdf'; if(!file_exists($file)){ die('error: file not found.'); } else { // set headers header("cache-control: public"); header("content-description: file transfer"); header("content-disposition: attachment; filename=$file"); header("content-type: application/pdf"); header("content-transfer-encoding: binary"); } ?> 

to make code work properly, had add comand make php read file , output it:

<?php $file = '/tmp/file.pdf'; if(!file_exists($file)){ die('error: file not found: '.$file); } else { // set headers header("cache-control: public"); header("content-description: file transfer"); header("content-disposition: attachment; filename=$file"); header("content-type: application/pdf"); header("content-transfer-encoding: binary"); readfile($file); } ?> 

otherwise couldn't read file after download.

as hans kuit said, better remove path file name.