Olszewski_marek makes a good suggestion, but the readfile() function can also be used to obscure file downloads from end users.
/* Setup the file that will be sent */
$downloadDir = "some/secret/directory/";
$file = "theFileName.dat";
/* Required for IE, otherwise Content-disposition is ignored */
if(ini_get('zlib.output_compression')) ini_set('zlib.output_compression', 'Off');
/* Output HTTP headers that force "Save As" dialog */
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=\\"$file\\";");
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".@filesize($downloadDir.$file));
/* Prevent the script from timing out for large files */
set_time_limit(0);
/* Send the entire file using @ to ignore all errors */
@readfile($downloadDir.$file);
/* Exit immediately so no garbage follows the file contents */
exit;
