Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
The trouble with fpassthru() is that download managers will not work with that url, unless you're ready to go and re-implement major parts of the HTTP server protocol
If you don't care about download managers and continuing of broken downloads, it's fine.