Why not just change the "View Image" setting to private or registered user? Your best approach is to restrict access to the download button.
well, that's not the point, any registered members could click download button and find out the path for the file and they wont need use download.php anymore, they can use over and over again, or send to someone. if u use script that would read files (outside root not necesery) and then send it to the browser, u wont be able get the files without starting the script, but this is big perfomance drawback...
If you password protect the media directories, require HTTP authentication
I might did something wrong, but I've tryed do it this way, and it asked me for user/pass when I open details.php
they .htaccess for antileech will kill ability play video/audio files on the page...