Example.
in models/db.py
db.define_table('image',SQLField('file','upload'),SQLField('filename'))
in controllers/db.py
def test():
form=SQLFORM(db.image,fields=['file'])
if request.vars.file!=None:
form.vars.filename=strip_path_and_sanitize(request.vars.file.filename)
if form.accepts(request.vars,session):
response.flash='file uploaded'
return dict(form=form)
def download():
return response.stream(open(os.path.join(request.folder,'uploads',request.args[0]),'rb'))
you can link the file as
/app/controller/download/{{=image.file}}/{{=image.filename}}
You need your own strippathand_sanitize function