Is enough to remove ".." from strings to avoid directory traversal attack?

I can't presently think of a good reason why removing all ".." strings doesn't work, but the most appropriate way would be use the realpath() function and ensure the start of the string matches the intended full directory path.


It's very easy for attackers to encode the literal string .. in a number of ways. The easiest way is using URL encoding which encodes .. as %2E%2E. This will not be caught by str_replace and will still resolve into a malicious path. See the OWASP Path Traversal page for more examples.

realpath() is generally a better solution for this situation.