From my previous discussions here i took away the fact that files are secure if you put them under the root. I spoke with the person who handles this for me, he says if we block public access, then users who uploaded their content can't download or view their files. to give you an example of what i am trying to do:
If i, a member of the site upload to my account a word file, then i should be able to come back and download it. But because the folder is blocking access, how can the file then be downloaded?
Normally, files that you want to be downloadable should be inside the document root or somewhere deeper inside it. But, if you only want to make files downloadable some of the time (e.g. you want to check user credetials first, or count downloads in a database), you can write a download script. The simplest form would be something like:
<?php
header('Content-Disposition: attachment;filename=hello.txt');
readfile('/path/to/file.txt');
?>
Note that there's an even better way using a special Apache module called xsendfile. With that, you could do something like this:
<?php
header('Content-Disposition: attachment;filename=hello.txt');
header('X-Sendfile: /path/to/file.txt');
?>
Apache will see the second header, strip it and send the contents of file.txt. The nice thing is that your resource intensive PHP script will already have stopped and you won't be running into any kind of PHP time or memory limits.
Obliviously files you want to make downloadable should be stored in the root or "after". Usually files you don't want others to access directly should be stored "under" the root. That's because if you need those files just to be included you can easily go back to the root and get them with an include() or a require(), while they are hidden by the user since your address will appear as www.site.com/index.php.
Files that have to be public and requires public access (for example: download) cannot be stored "under" the root.
You can pass files to user directly right from PHP script. You need fpassthru function. But this solution is not perfect and leads to problems. I'd better prefer make you files that should be downloadable to put somewhere in publicly accessed directory (somewhere in document root directory or subdirectory). Or you can serve them from subdomain (even better).