It is not normal practice in WP development to include executable PHP in content.
Most typically this would be implemented with a shortcode which provides safe element to put into content, which renders a more complicated output required.
Not sure about download.php part, I would guess that might be better off incorporated into WP runtime as well, but depends on what exactly it does and how.