diff --git a/htdocs/expensereport/list.php b/htdocs/expensereport/list.php
index caae068461a..053d293db83 100644
--- a/htdocs/expensereport/list.php
+++ b/htdocs/expensereport/list.php
@@ -72,7 +72,7 @@ $search_user  = GETPOST('search_user','int');
 $search_amount_ht = GETPOST('search_amount_ht','alpha');
 $search_amount_vat = GETPOST('search_amount_vat','alpha');
 $search_amount_ttc = GETPOST('search_amount_ttc','alpha');
-$search_status = (GETPOST('search_status','alpha')!=''?GETPOST('search_status','alpha'):GETPOST('statut','alpha'));
+$search_status = (GETPOST('search_status','intcomma')!=''?GETPOST('search_status','intcomma'):GETPOST('statut','intcomma'));
 $month_start  = GETPOST("month_start","int");
 $year_start   = GETPOST("year_start","int");
 $month_end    = GETPOST("month_end","int");
@@ -305,11 +305,7 @@ if ($search_amount_ttc != '') $sql.= natural_search('d.total_ttc', $search_amoun
 // User
 if ($search_user != '' && $search_user >= 0) $sql.= " AND u.rowid = '".$db->escape($search_user)."'";
 // Status
-if ($search_status != '' && $search_status >= 0)
-{
-	if (strstr($search_status, ',')) $sql.=" AND d.fk_statut IN (".$db->escape($search_status).")";
-	else $sql.=" AND d.fk_statut = ".$search_status;
-}
+if ($search_status != '' && $search_status >= 0) $sql.=" AND d.fk_statut IN (".$db->escape($search_status).")";
 // RESTRICT RIGHTS
 if (empty($user->rights->expensereport->readall) && empty($user->rights->expensereport->lire_tous)
     && (empty($conf->global->MAIN_USE_ADVANCED_PERMS) || empty($user->rights->expensereport->writeall_advance)))
diff --git a/htdocs/holiday/list.php b/htdocs/holiday/list.php
index c7227e16472..d99afde8c3d 100644
--- a/htdocs/holiday/list.php
+++ b/htdocs/holiday/list.php
@@ -85,7 +85,7 @@ if (! $sortorder) $sortorder="DESC";
 
 
 $sall                = trim((GETPOST('search_all', 'alphanohtml')!='')?GETPOST('search_all', 'alphanohtml'):GETPOST('sall', 'alphanohtml'));
-$search_ref          = GETPOST('search_ref','alpha');
+$search_ref          = GETPOST('search_ref','alphanohtml');
 $search_day_create   = GETPOST('search_day_create','int');
 $search_month_create = GETPOST('search_month_create','int');
 $search_year_create  = GETPOST('search_year_create','int');
@@ -185,7 +185,7 @@ $order = $db->order($sortfield,$sortorder).$db->plimit($limit + 1, $offset);
 // Ref
 if(!empty($search_ref))
 {
-    $filter.= " AND cp.rowid = ".$db->escape($search_ref);
+    $filter.= " AND cp.rowid = ".(int) $db->escape($search_ref);
 }
 
 // Start date