so far what I have managed to do is upload the file in app/files directory and download them using the deprecated media views. I am unable to use

    $file = $this->Attachment->getFile($id);

and i want to display the images/files to the user, say like a profile image of the user. How can i get this done without comprising on the security of the user images.

I get the error

    Call to a member function getFile() on a non-object

I don't want to use any plugins for the same.

Thanks in advance.

You've got three options;

1. Create a mod_rewrite rule that allows access to the directory outside your web root to be viewed via an URL. This way the image will not have to be output via a PHP script
2. Create a symlink inside your webroot that points to the directory outside your web root. This way the images will also be output directly by apache, not via a PHP script. You can follow the instructions for 'plugin assets' here: http://book.cakephp.org/2.0/en/plugins.html#plugin-assets
3. Read the file with PHP and output (a resized version of) the image with PHP, e.g via the imagejpeg() function. For this to work you should output the image without using a 'layout' and set the right response headers. More information on the 'response' object can be found here: http://book.cakephp.org/2.0/en/controllers/request-response.html#sending-files

I don't have time at the moment to write examples, but can provide some pointers if needed

update

Although the MediaView is deprecated in CakePHP 2.3, you can still 'learn' from it on how to handle file-downloads yourself. Most of the 'magic' in the MediaView is concentrated around the Response-object, which is available in just about every object inside Cake (also inside your Controller). It's probably easy to convert de MediaView into a Component that you can attach to your Controller for outputting/sending files.

The source of the MediaView can be found here: http://api.cakephp.org/2.2/source-class-MediaView.html#23-242

And, additional information on sending files via the response-object can be found in the link I mentioned earlier (http://book.cakephp.org/2.0/en/controllers/request-response.html#sending-files)

important

Although not directly related to your question, some warnings;

User-provided uploads are dangerous always be sure that you check filetypes and sanitize filenames and paths (if you allow users to specify a path). Always assume that a user is able to send something like '../../../../' as a pathname an guard yourself against that situation

Be sure to disable PHP parsing for the directories/URLs that contain files uploaded by users. I've seen situations where users were able to upload dangerous_file.php.jpg and were able to rename the file afterwards (remove .jpg).

More information on disabling PHP in paths can be found here: Disable PHP in directory (including all sub-directories) with .htaccess

And, regarding that last point: Be sure to disable 'overriding' those settings within the user-directories (e.g. consider a situation where the user is able to upload a .htaccess file?

Media view are deprecated now in cakephp 2.3

please have look on this link :

http://book.cakephp.org/2.0/en/views/media-view.html

public function download() {
    $this->viewClass = 'Media';
    // Download app/outside_webroot_dir/example.zip
    $params = array(
        'id'        => 'example.zip',
        'name'      => 'example',
        'download'  => true,
        'extension' => 'zip',
        'path'      => APP . 'outside_webroot_dir' . DS
    );
    $this->set($params);
}