You can't make someone download a file from a URL without letting them know the URL. It's not possible under the HTTP specification. Anything downloaded has a URL.

You can, however, have a download URL that only works once, or requires some specific information to be passed via the POST method. You check for a token in the GET or POST variables and invalidate that token once it's used once.

You can use the header() function which is documented here

I would suggest scrolling down and looking at the 1st example. It seems to be doing exactly what you want.

readfile should do what you want. Put the actual file outside the web server root, and require some credentials before passing back the file.

Find a way to identify the file to download (for instance, a GET variable that matches the ID of a row in a database, or something along these lines). Make damn sure it's a valid one, because you don't want your users to be able to download anything off your site. Then, use header with Content-Disposition to tell the browser the file should be downloaded, and readfile to output it.

For instance:

<?php

$id = intval($_GET['id']);
$query = mysql_query('SELECT file_path FROM files WHERE id = ' . $id);
if (($row = mysql_fetch_row($query)) !== false)
{
    header('Content-Disposition: attachment; filename=' . basename($row[0]));
    readfile($row[0]);
}
exit;

?>