$stm->execute(array(':id' => $id[1]));
$res = $stm->fetch(PDO::FETCH_ASSOC);
if (false === $res) {
    header("HTTP/1.0 404 Not Found", true, 404);
    die('404 Not Found: ' . $id[0] . ' ' . $id[1] . ' is not found. it may have expired, been deleted, or never existed at all.');
}
if ($res['expire'] !== '-1' && time() >= (int) $res['expire']) {
    header("HTTP/1.0 410 Gone", true, 410);
    die('410 Gone: this file expired on ' . date(DateTime::ISO8601, (int) $res['expire']));
}
if (is_string($res['password_hash']) && 0 < strlen($res['password_hash'])) {
    if (!isset($_GET['password'])) {
        header("HTTP/1.0 403 Forbidden", true, 403);
        die('this file is password protected, and no password supplied.');
    }
    if (passwordHashV1($_GET['password']) !== $res['password_hash']) {
        header("HTTP/1.0 403 Forbidden", true, 403);
        die('wrong password');
    }
}
$fullFilePath = hhb_combine_filepaths($files_folder, $res['local_filename']);
if (!file_exists($fullFilePath)) {
    throw new Exception("CORRUPTED DATABASE! FILE FOR " . var_export($id, true) . ' DOES NOT EXIST!');
}
header('Content-Description: File Transfer');
header('Content-Type: ' . $res['file_content_type']);
header('Content-Disposition: attachment; filename="' . $res['data_name'] . '"');
//dont worry, data_name in db is already sanitized... or is supposed to be....
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
function getPasswordHash()
{
    //
    if (!isset($_POST['password'])) {
        return '';
    }
    return passwordHashV1($_POST['password']);
}