Even better - when the user uploads the file, include the user_ID for the file. Then, when you try to retrieve the file, make sure it belongs to the user.
So therefore even if they guess another file - it wont matter!
You need to use readfile:
function user_files($file_name = "")
{
// Check user is logged in
if ($user->logged_in())
{
// Check file_name is valid and only contains valid chars
if ((preg_match('^[A-Za-z0-9]{1,32}+[.]{1}[A-Za-z]{3,4}$^', $file_name))
{
// Now check file belongs to user - PSUEDOCODE
if ($filename == $user->records)
{
header('Content-Type: '.get_mime_by_extension(YOUR_PATH.$file_name)));
readfile(YOUR_PATH.$file_name);
} else {
echo 'You do not have access to this file';
}
}
}
}
There is some issues around directory traversal etc - so you'll need to check the $file_name first like I have using the preg_match