It is suggested that you don't save the entire file in the database and only save the file name and then store it in a secure location.
You can save the file above the web root... that way it can't be downloaded directly and then use the file download server behavior to allow access to the user from a secured page.