so far what I have managed to do is upload the file in app/files directory and download them using the deprecated media views. I am unable to use
$file = $this->Attachment->getFile($id);
and i want to display the images/files to the user, say like a profile image of the user. How can i get this done without comprising on the security of the user images.
I get the error
Call to a member function getFile() on a non-object
I don't want to use any plugins for the same.
Thanks in advance.
Media view are deprecated now in cakephp 2.3
please have look on this link :
http://book.cakephp.org/2.0/en/views/media-view.html
You've got three options;
imagejpeg()
function. For this to work you should output the image without using a 'layout' and set the right response headers. More information on the 'response' object can be found here: http://book.cakephp.org/2.0/en/controllers/request-response.html#sending-filesI don't have time at the moment to write examples, but can provide some pointers if needed
update
Although the MediaView is deprecated in CakePHP 2.3, you can still 'learn' from it on how to handle file-downloads yourself. Most of the 'magic' in the MediaView is concentrated around the Response-object, which is available in just about every object inside Cake (also inside your Controller). It's probably easy to convert de MediaView into a Component that you can attach to your Controller for outputting/sending files.
The source of the MediaView can be found here: http://api.cakephp.org/2.2/source-class-MediaView.html#23-242
And, additional information on sending files via the response-object can be found in the link I mentioned earlier (http://book.cakephp.org/2.0/en/controllers/request-response.html#sending-files)
important
Although not directly related to your question, some warnings;
User-provided uploads are dangerous always be sure that you check filetypes and sanitize filenames and paths (if you allow users to specify a path). Always assume that a user is able to send something like '../../../../' as a pathname an guard yourself against that situation
Be sure to disable PHP parsing for the directories/URLs that contain files uploaded by users. I've seen situations where users were able to upload
dangerous_file.php.jpg
and were able to rename the file afterwards (remove.jpg
).More information on disabling PHP in paths can be found here: Disable PHP in directory (including all sub-directories) with .htaccess
And, regarding that last point: Be sure to disable 'overriding' those settings within the user-directories (e.g. consider a situation where the user is able to upload a
.htaccess
file?