This isn't really a 'tutorial', you will probably want to ask this in the programming discussion area, or have it moved.
The best way to go about this? Don't make the file available publicly... Here's at least a basic guide
#1: Create a directory outside of public_html to store your files, add references to your file in a mysql database, as well as your user payment status.
#2: Create a file called dl.php, or whatever you want it . Have that call the file (by id, not name), have it track downloads. Use something like fread .
Of course you'll need to add authentication in there, maybe by transaction id, and limit it to one ip or a set # of downloads per transaction?
Just food for thought.
WHMCS Guru - WHMCS addons, management, support and more. WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
Linux Problems? WHMCS Issues? +1-866-546-8914 (linux-14) or @whmcsguru on twitter!
You could store the file as a binary BLOB in the DB and only output it (with content-disposition header) on successful auth... or just as a file outside the documentroot and then stream the file to the user upon auth.
Anything relying on the obsfucation of a URL to a publically available file that someone could find is of course a bad idea and should be avoided. You really want to send the data programatically so you can control and restrict downloads.