Suggestions for upload protection

[connectcase]

The subject does not quite cover it, so a little elaboration below:

 

There is this existing PHP application, containing order information, which needs to be extended with an uploadmodule (PDF files accompanying orders).

 

Logging in is done via the database and an include file (login.php), that sets a session ("if empty(SESSION["userid"]) then" or something like that)

 

I can't include this login.php into the uploaded PDF's, meaning that if someone would know the actual filename, it would be easy to just type it in the address bar of their browser and

download/open the PDF.

 

First I thought I'd place the PDF's inside a folder outside the reach of the webroot and then stream them to the browser, when requested. But since I am on shared hosting, I cannot access the filesystem.

 

Anyone with suggestions? I am not looking for codesnippets (would be nice though), just a sort of "push in the right direction". I'm not too eager to put the whole PDF into the database (because of the exponential growth), but if that's the only solution, so be it.

 

Thanks in advance!