[Jarron]

1) Yes, I agree that trusted post variables probably is not relevant here.

2) As suggested, I tried var_dump before and after the auth.php include. No sign of delivery_date anywhere...

To be sure, I tested using empty() and isset() - both return values suggesting $delivery_date is not set.

3) So then I looked in to auth.php, prepare.php & top.inc.php. The only filtering these seem to do is:

- Identify all variables using php's get_defined_vars() function
- Compare these to a list of restriced var names ("GLOBALS","HTTP_GET_VARS","HTTP_POST_VARS","HTTP_SERVER_VARS","HTTP_ENV_VARS","HTTP_COOKIE_VARS","HTTP_POST_FILES","__key","__val","_GET","_POST","_SERVER","_COOKIE","HTTP_RAW_POST_DATA
)
- Remove the posted variable if it clashes with the restricted var names or is not a key within one of them.

So nothing stopping delivery_date being passed here (right?).

4) Next I tried get_defined_vars() at the beginning of cart.php. It showed various variables but not delivery_date.


I'm baffled. Some ideas that might get me there:

a) It seems like the issue is somewhere between posting from html and cart.php being called.

b) The only thing I can think of is that (in additon to the above checks) xcart is redirecting my posts for manipulation somewhere else before cart.php even sees them.

Does this sound feasible? I just can't think of any other logical explanation.

If so - where would it be redirecting and how?

Any ideas?

thx again in advance,

js