when the config/main.php ‘enableCsrfValidation’ is set to true the uploader not working and display to me CSRF token could not be verified, with false works fine but I don’t want to have security risks
I don’t know that extension, but i’ve had similar issues with CSRF protection. With that enabled, each POST form needs a hidden field, which contains the CSRF token of that user. Yii automatically adds that to every form, as long as you create the <form> tag with CHtml::form() (or any derivate, e.g. through CActiveForm). Also make sure, that you don’t cache such a form, because you would cache the CSRF token of the first user who hits the cold cache.
So maybe you want to have a look at the extensions source to verify one of the above problems.
Have a look at this forum thread with a custom HttpRequest class. When uploading a file using that extension POST contains only the file contents and CSRF gets moved into GET. You need to allow some actions to read CSRF token from GET, not only POST.