I believe web servers allow .. to work "correctly" by canonocalizing out the ..'s before the security checks, so if I can access /a/b/c but cannot access /a/b/d, I can still access /a/b/d/../c because the server converts this to /a/b/c before doing the check. I'm pretty sure this is the case. So we can steal that idea, I'd say. -tom