diff --git a/htdocs/eventorganization/class/conferenceorboothattendee.class.php b/htdocs/eventorganization/class/conferenceorboothattendee.class.php
index 8203fee19f1..7d6de3b3713 100644
--- a/htdocs/eventorganization/class/conferenceorboothattendee.class.php
+++ b/htdocs/eventorganization/class/conferenceorboothattendee.class.php
@@ -392,7 +392,7 @@ class ConferenceOrBoothAttendee extends CommonObject
 	 * @param  string      $sortfield    Sort field
 	 * @param  int         $limit        limit
 	 * @param  int         $offset       Offset
-	 * @param  array       $filter       Filter array. Example array('field'=>'valueforlike', 'customurl'=>...)
+	 * @param  array       $filter       Filter array. Example array('field'=>'valueforlike', 'customurl'=>...). WARNING: customerurl must be a sanitized SQL string.
 	 * @param  string      $filtermode   Filter mode (AND or OR)
 	 * @return array|int                 int <0 if KO, array of pages if OK
 	 */
diff --git a/htdocs/public/eventorganization/attendee_register.php b/htdocs/public/eventorganization/attendee_register.php
index 515436f924a..42fde10e7de 100644
--- a/htdocs/public/eventorganization/attendee_register.php
+++ b/htdocs/public/eventorganization/attendee_register.php
@@ -251,10 +251,10 @@ if (empty($reshook) && $action == 'add' && (!empty($conference->id) && $conferen
 		$confattendee = new ConferenceOrBoothAttendee($db);
 
 		if ($type == 'global') {
-			$filter = array('t.fk_project'=>$id, 'customsql'=>'t.email="'.$email.'"');
+			$filter = array('t.fk_project'=>((int) $id), 'customsql'=>'t.email="'.$db->escape($email).'"');
 		}
 		if ($action == 'conf') {
-			$filter = array('t.fk_actioncomm'=>$id, 'customsql'=>'t.email="'.$email.'"');
+			$filter = array('t.fk_actioncomm'=>((int) $id), 'customsql'=>'t.email="'.$db->escape($email).'"');
 		}
 
 		// Check if there is already an attendee into table eventorganization_conferenceorboothattendee for same event (or conference/booth)