diff --git a/htdocs/lib/security.lib.php b/htdocs/lib/security.lib.php
index 4212cc12529..0a8ceafa2a1 100644
--- a/htdocs/lib/security.lib.php
+++ b/htdocs/lib/security.lib.php
@@ -181,7 +181,7 @@ function dol_loginfunction($langs,$conf,$mysoc)
 	}
 
 	// Login
-	$login = (!empty($lastuser)?$lastuser:(GETPOST("username")?GETPOST("username"):$demologin));
+	$login = (!empty($lastuser)?$lastuser:(GETPOST("username","alpha",2)?GETPOST("username","alpha",2):$demologin));
 	$password = $demopassword;
 
 	// Show logo (search in order: small company logo, large company logo, theme logo, common logo)
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index e6796b41870..a60703cd3c3 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -324,7 +324,7 @@ if (! defined('NOLOGIN'))
         }
 
 		// Verification security graphic code
-		if (isset($_POST["username"]) && ! empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA))
+		if (GETPOST("username","alpha",2) && ! empty($conf->global->MAIN_SECURITY_ENABLECAPTCHA))
 		{
 			require_once DOL_DOCUMENT_ROOT.'/includes/artichow/Artichow.cfg.php';
 			require_once ARTICHOW."/AntiSpam.class.php";
@@ -339,7 +339,7 @@ if (! defined('NOLOGIN'))
 				$langs->load('main');
 				$langs->load('other');
 
-				$user->trigger_mesg='ErrorBadValueForCode - login='.$_POST["username"];
+				$user->trigger_mesg='ErrorBadValueForCode - login='.GETPOST("username","alpha",2);
 				$_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadValueForCode");
 				$test=false;
 
@@ -365,7 +365,7 @@ if (! defined('NOLOGIN'))
 		// If error, we will put error message in session under the name dol_loginmesg
 		$goontestloop=false;
 		if (isset($_SERVER["REMOTE_USER"]) && in_array('http',$authmode)) $goontestloop=true;
-		if (isset($_POST["username"]) || GETPOST('openid_mode','alpha',1)) $goontestloop=true;
+		if (GETPOST("username","alpha",2) || GETPOST('openid_mode','alpha',1)) $goontestloop=true;
 
 		if ($test && $goontestloop)
 		{
@@ -378,7 +378,7 @@ if (! defined('NOLOGIN'))
 					if ($result)
 					{
 						// Call function to check user/password
-						$usertotest=$_POST["username"];
+						$usertotest=GETPOST("username","alpha",2);
 						$passwordtotest=$_POST["password"];
 						$entitytotest=$_POST["entity"];
 						$function='check_user_password_'.$mode;
@@ -411,7 +411,7 @@ if (! defined('NOLOGIN'))
 				$langs->load('other');
 
 				// Bad password. No authmode has found a good password.
-				$user->trigger_mesg=$langs->trans("ErrorBadLoginPassword").' - login='.$_POST["username"];
+				$user->trigger_mesg=$langs->trans("ErrorBadLoginPassword").' - login='.GETPOST("username","alpha",2);
 				$_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadLoginPassword");
 
 				// Appel des triggers