I usually do that sort of checking when I parse the query_string. It seems to be a bad habbit closing down security later down the line when you can do it right off the bat when you receive your data. Think something looks suspicious? Chop it off regardless of what you'll be doing later...
$str =~ s/\.\.\///g;