diff --git a/htdocs/supplier_proposal/class/supplier_proposal.class.php b/htdocs/supplier_proposal/class/supplier_proposal.class.php
index 34436a6e5ae..a1d45d2d0c1 100644
--- a/htdocs/supplier_proposal/class/supplier_proposal.class.php
+++ b/htdocs/supplier_proposal/class/supplier_proposal.class.php
@@ -1364,7 +1364,7 @@ class SupplierProposal extends CommonObject
             $this->newref = $num;
 
             $sql = "UPDATE ".MAIN_DB_PREFIX."supplier_proposal";
-            $sql.= " SET ref = '".$num."',";
+            $sql.= " SET ref = '".$this->db->escape($num)."',";
             $sql.= " fk_statut = 1, date_valid='".$this->db->idate($now)."', fk_user_valid=".$user->id;
             $sql.= " WHERE rowid = ".$this->id." AND fk_statut = 0";
 
@@ -1437,7 +1437,7 @@ class SupplierProposal extends CommonObject
         else
         {
         	dol_syslog("You don't have permission to validate supplier proposal", LOG_WARNING);
-        	return -1;
+        	return -2;
         }
     }