That depends on where you place the files. The idea is to place the real files outside of your webroot, so the only access to them is available through the script. With a bit of mod_rewrite magic, you can even make it look like the person is actually downloading the real file, and the script will still kick in.
There is a follow-up coming on this article, with for example the mentioned .htaccess, but I got a little tied up in moving to my new house, so that might take a while before it is posted.
RE: can this be bypassed directly?
That depends on where you place the files. The idea is to place the real files outside of your webroot, so the only access to them is available through the script. With a bit of mod_rewrite magic, you can even make it look like the person is actually downloading the real file, and the script will still kick in.
There is a follow-up coming on this article, with for example the mentioned .htaccess, but I got a little tied up in moving to my new house, so that might take a while before it is posted.
Please feel free to ask any remaining questions.
~RW