For example, a simple PHP page can read a file from the filesystem and serve this up so that it is downloaded to the browser.
The simple example in that URL is vulnerable to directory traversal in the file parameter. You should validate any filename that is passed to your PHP script to protect against "../.." type attacks. This can actually get quite complex.
What may work for you is to have a token system where files are referenced by a unique, complex, random token. The database stores the actual file location on the filesystem, and when a request is recevied such as /download.php?token=blah... you lookup a) the location of the file referenced by token "blah", and b) that the session of the calling user is permitted to access the file. If all is well, serve the file to the user, otherwise raise an error and log the illegitimate access.
You should use a PHP page to control access to the resources, rather than having the /files/ directory serve the content directly via the web server.
You would want to ensure: