diff --git a/htdocs/comm/clients.php b/htdocs/comm/clients.php
index edd5d25b1bd..2bbb1883dcb 100644
--- a/htdocs/comm/clients.php
+++ b/htdocs/comm/clients.php
@@ -1,6 +1,6 @@
 <?php
 /* Copyright (C) 2001-2005 Rodolphe Quiedeville <rodolphe@quiedeville.org>
- * Copyright (C) 2004-2005 Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2004-2006 Laurent Destailleur  <eldy@users.sourceforge.net>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -18,7 +18,6 @@
  *
  * $Id$
  * $Source$
- *
  */
 
 /**
@@ -60,13 +59,13 @@ $sql .= " WHERE s.fk_stcomm = st.id AND s.client=1";
 if ($socidp)           $sql .= " AND s.idp = $socidp";
 if ($user->societe_id) $sql .= " AND s.idp = " .$user->societe_id;
 
-if ($search_nom)   $sql .= " AND s.nom like '%".strtolower($search_nom)."%'";
-if ($search_ville) $sql .= " AND s.ville like '%".strtolower($search_ville)."%'";
-if ($search_code)  $sql .= " AND s.code_client like '%".strtolower($search_code)."%'";
+if ($search_nom)   $sql .= " AND s.nom like '%".addslashes(strtolower($search_nom))."%'";
+if ($search_ville) $sql .= " AND s.ville like '%".addslashes(strtolower($search_ville))."%'";
+if ($search_code)  $sql .= " AND s.code_client like '%".addslashes(strtolower($search_code))."%'";
 
 if ($socname)
 {
-  $sql .= " AND lower(s.nom) like '%".strtolower($socname)."%'";
+  $sql .= " AND lower(s.nom) like '%".addslashes(strtolower($socname))."%'";
   $sortfield = "lower(s.nom)";
   $sortorder = "ASC";
 }
diff --git a/htdocs/comm/propal.php b/htdocs/comm/propal.php
index 8fa3fb0a011..8f2547601e5 100644
--- a/htdocs/comm/propal.php
+++ b/htdocs/comm/propal.php
@@ -1210,17 +1210,17 @@ else
 
   if (!empty($_GET['search_ref']))
     {
-      $sql .= " AND p.ref LIKE '%".$_GET['search_ref']."%'";
+      $sql .= " AND p.ref LIKE '%".addslashes($_GET['search_ref'])."%'";
     }
   if (!empty($_GET['search_societe']))
     {
-      $sql .= " AND s.nom LIKE '%".$_GET['search_societe']."%'";
+      $sql .= " AND s.nom LIKE '%".addslashes($_GET['search_societe'])."%'";
     }
   if (!empty($_GET['search_montant_ht']))
     {
-      $sql .= " AND p.price='".$_GET['search_montant_ht']."'";
+      $sql .= " AND p.price='".addslashes($_GET['search_montant_ht'])."'";
     }
-  if ($sall) $sql.= " AND (s.nom like '%".$sall."%' OR p.note like '%".$sall."%' OR pd.description like '%".$sall."%')";
+  if ($sall) $sql.= " AND (s.nom like '%".addslashes($sall)."%' OR p.note like '%".addslashes($sall)."%' OR pd.description like '%".addslashes($sall)."%')";
   if ($socidp) $sql .= ' AND s.idp = '.$socidp; 
   if ($_GET['viewstatut'] <> '')
     {
@@ -1236,7 +1236,7 @@ else
     }
   if (strlen($_POST['sf_ref']) > 0)
     {
-      $sql .= " AND p.ref like '%".$_POST["sf_ref"] . "%'";
+      $sql .= " AND p.ref like '%".addslashes($_POST["sf_ref"]) . "%'";
     }
   $sql .= ' ORDER BY '.$sortfield.' '.$sortorder.', p.ref DESC';
   $sql .= $db->plimit($limit + 1,$offset);
diff --git a/htdocs/compta/facture.php b/htdocs/compta/facture.php
index 6e4a90cbe50..57855fb520d 100644
--- a/htdocs/compta/facture.php
+++ b/htdocs/compta/facture.php
@@ -1,7 +1,7 @@
 <?php
 /* Copyright (C) 2002-2005 Rodolphe Quiedeville  <rodolphe@quiedeville.org>
  * Copyright (C) 2004      Éric Seigne           <eric.seigne@ryxeo.com>
- * Copyright (C) 2004-2005 Laurent Destailleur   <eldy@users.sourceforge.net>
+ * Copyright (C) 2004-2006 Laurent Destailleur   <eldy@users.sourceforge.net>
  * Copyright (C) 2005      Marc Barilley / Ocebo <marc@ocebo.com>
  * Copyright (C) 2005-2006 Regis Houssin         <regis.houssin@cap-networks.com>
  * Copyright (C) 2006      Andre Cianfarani      <acianfa@free.fr>
@@ -2030,19 +2030,19 @@ else
 			}
 			if ($_GET['search_ref'])
 			{
-				$sql .= ' AND f.facnumber like \'%'.$_GET['search_ref'].'%\'';
+				$sql .= ' AND f.facnumber like \'%'.addslashes($_GET['search_ref']).'%\'';
 			}
 			if ($_GET['search_societe'])
 			{
-				$sql .= ' AND s.nom like \'%'.$_GET['search_societe'].'%\'';
+				$sql .= ' AND s.nom like \'%'.addslashes($_GET['search_societe']).'%\'';
 			}
 			if ($_GET['search_montant_ht'])
 			{
-				$sql .= ' AND f.total = \''.$_GET['search_montant_ht'].'\'';
+				$sql .= ' AND f.total = \''.addslashes($_GET['search_montant_ht']).'\'';
 			}
 			if ($_GET['search_montant_ttc'])
 			{
-				$sql .= ' AND f.total_ttc = \''.$_GET['search_montant_ttc'].'\'';
+				$sql .= ' AND f.total_ttc = \''.addslashes($_GET['search_montant_ttc']).'\'';
 			}
 			if ($year > 0)
 			{
@@ -2050,11 +2050,11 @@ else
 			}
 			if ($_POST['sf_ref'])
 			{
-				$sql .= ' AND f.facnumber like \'%'.$_POST['sf_ref'] . '%\'';
+				$sql .= ' AND f.facnumber like \'%'.addslashes($_POST['sf_ref']) . '%\'';
 			}
 			if ($sall)
 			{
-				$sql .= ' AND (s.nom like \'%'.$sall.'%\' OR f.facnumber like \'%'.$sall.'%\' OR f.note like \'%'.$sall.'%\' OR fd.description like \'%'.$sall.'%\')';
+				$sql .= ' AND (s.nom like \'%'.addslashes($sall).'%\' OR f.facnumber like \'%'.addslashes($sall).'%\' OR f.note like \'%'.addslashes($sall).'%\' OR fd.description like \'%'.addslashes($sall).'%\')';
 			}
 
 			$sql .= ' GROUP BY f.facnumber';