Keep the files in a non-web-accessible folder; either use .htaccess to block requests or throw the files into a folder below the web root.

Folder below web root
If the main folder for your site is /home/salathe/public_html/ then store the files outside of that folder; e.g., /home/salathe/file_store/ This way, it's simply not possible to type an URL which equates to the location of that folder!

Block access with .htaccess file
There are various ways you could achieve this but here's just one of them. Put a .htaccess file in the folder storing the files (e.g. /home/salathe/public_html/files/), with the following content.



Since you're using PHP to output the files (with authorisation checking, etc.) then it doesn't matter where the files are stored in the server so long as PHP can read them. :)