What I like to do in cases like this is to save the files in a directory above the web root. That way they are completely inaccessible from the outside world. Then you can use our file download to allow them to be downloaded by logged in users that you have verified have access.
You could also save the file into a BLOB field in your database, but I don't think that is any more secure, and databases are notoriously inefficient when it comes to file storage.