hyperlinks shows physcial path of a file

You can use htaccess mod_rewrite (although I can't help you with this - I'm rubbish at regex/preg) or have a redirect page containing the urls. You'll need to send a querystring to the redirect page (e.g. file id) then the page redirects to the url of the file (obviously you need to keep a list - possibly in a DB).

why a security breach? so why to put a public document into private folder? nobody will be able get into contents of this folder if you create index.php there, for example

or have a redirect page containing the urls

I recommend some script, that gives a file, not giving its address

and... If you want some text in status bar instead the link... It is JavaScript competention, but do you think it can make you dir safe? :)

Every user will have their private folder filled with their personal files, that's why it is a security breach.

its normal to hyperlink to show the physical path... ur the only person babbling about it... well if u really think that's a security breach... then you can encrypt your hyperlinks and decrypt the link to its original in the receiving end. i mean link page that will decrypt the encrypted links and route them to whatever page they will be.

secured files are stored outside the html_root
where for example a file for download is accessed by <a href='download.php?filename=thisfile.doc&type=doc'>download thisfile</a>

<?php /* download.php */
if(!session_id) { $hiddenfile="../absolutepath/polkamusic.mp3";  $type='file/mp3'} // I'm too lazy to look up (audio/mpeg)? my site already runs
else {$hiddenfile="../absolutepath/$user/$filename";
/* $type=matching mime type and I'm too lazy to set a look up table in this example ?*/ }
header("Content-type: $type");
header('Content-Disposition: attachment; filename="$filename"');
readfile("$hiddenfile");
?>

displayed url download.php?filename&type
not logged in users get polka music