I didn't go through the whole thing in detail, so please correct me if I got anything wrong, but I think I understand enough of the structure.<p>There are some acute problems that could be solved in code, for example the use of str_replace() in download.php should be replaced by urldecode(), and you should be aware that the following couple of lines after that do exactly nothing to prevent access to arbitrary files on your server. I don't mean this in a rude way, but it looks like you still have a ton of reading to do on how webservers work until you can tackle any of these problems with confidence. So no, it's not remotely secure, and maybe something that focuses on security is not the best project to get started in the first place.<p>Besides the security aspects, the problem I see is that the script doesn't fulfill its own core promise: to regulate file access. You can just circumvent it by taking the filename sent as an argument to download.php and use that to access the thing in the files/ folder directly if indeed .htaccess isn't used (which would automatically apply to, say, any NginX server and which is indeed a scenario you explicitly advertise). If you want to prevent that, you have to either store the files in a place that isn't browser-addressable, or at least store them in a way so their names can't be guessed.<p>The problem with PHP is that it's deceptively easy to make something that looks like it works, but in reality doesn't. It's an environment that makes it very effortless to shoot yourself in the foot. Personally, I love working with it (as opposed to many other programmers), but it <i>requires</i> that you <i>really</i> know what you're doing. I don't want to discourage you from using it, but it's something you have to be aware of - and if you plan on doing only casual web development, I would highly recommend going with a framework instead.