diff --git a/htdocs/adherents/card.php b/htdocs/adherents/card.php
index ddbc7123d70..8c6f7687263 100644
--- a/htdocs/adherents/card.php
+++ b/htdocs/adherents/card.php
@@ -822,7 +822,7 @@ else
 		// Login
 		if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED))
 		{
-			print '<tr><td><span class="fieldrequired">'.$langs->trans("Login").' / '.$langs->trans("Id").'</span></td><td><input type="text" name="member_login" size="40" value="'.(isset($_POST["member_login"])?$_POST["member_login"]:$object->login).'"></td></tr>';
+			print '<tr><td><span class="fieldrequired">'.$langs->trans("Login").' / '.$langs->trans("Id").'</span></td><td><input type="text" name="member_login" class="maxwidth200" value="'.(isset($_POST["member_login"])?GETPOST("member_login", 'alpha', 2):$object->login).'"></td></tr>';
 		}
 
 		// Type
@@ -1066,7 +1066,7 @@ else
 		// Login
 		if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED))
 		{
-			print '<tr><td><span class="fieldrequired">'.$langs->trans("Login").' / '.$langs->trans("Id").'</span></td><td colspan="2"><input type="text" name="login" size="30" value="'.(isset($_POST["login"])?$_POST["login"]:$object->login).'"></td></tr>';
+			print '<tr><td><span class="fieldrequired">'.$langs->trans("Login").' / '.$langs->trans("Id").'</span></td><td colspan="2"><input type="text" name="login" class="maxwidth200" value="'.(isset($_POST["login"])?GETPOST("login",'alpha',2):$object->login).'"></td></tr>';
 		}
 
 		// Morphy
@@ -1090,7 +1090,7 @@ else
 		print "</td></tr>";
 
 		// Company
-		print '<tr><td id="tdcompany">'.$langs->trans("Company").'</td><td><input type="text" name="societe" size="40" value="'.(isset($_POST["societe"])?$_POST["societe"]:$object->societe).'"></td></tr>';
+		print '<tr><td id="tdcompany">'.$langs->trans("Company").'</td><td><input type="text" name="societe" size="40" value="'.(isset($_POST["societe"])?GETPOST("societe",'',2):$object->societe).'"></td></tr>';
 
 		// Civility
 		print '<tr><td>'.$langs->trans("UserTitle").'</td><td>';
@@ -1099,11 +1099,11 @@ else
 		print '</tr>';
 
 		// Lastname
-		print '<tr><td id="tdlastname">'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" size="40" value="'.(isset($_POST["lastname"])?$_POST["lastname"]:$object->lastname).'"></td>';
+		print '<tr><td id="tdlastname">'.$langs->trans("Lastname").'</td><td><input type="text" name="lastname" size="40" value="'.(isset($_POST["lastname"])?GETPOST("lastname",'',2):$object->lastname).'"></td>';
 		print '</tr>';
 
 		// Firstname
-		print '<tr><td id="tdfirstname">'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" size="40" value="'.(isset($_POST["firstname"])?$_POST["firstname"]:$object->firstname).'"></td>';
+		print '<tr><td id="tdfirstname">'.$langs->trans("Firstname").'</td><td><input type="text" name="firstname" size="40" value="'.(isset($_POST["firstname"])?GETPOST("firstname",'',3):$object->firstname).'"></td>';
 		print '</tr>';
 
 		// Photo
@@ -1122,24 +1122,24 @@ else
 		print '</td></tr>';
 
 		// EMail
-		print '<tr><td>'.($conf->global->ADHERENT_MAIL_REQUIRED?'<span class="fieldrequired">':'').$langs->trans("EMail").($conf->global->ADHERENT_MAIL_REQUIRED?'</span>':'').'</td><td><input type="text" name="email" size="40" value="'.(isset($_POST["email"])?$_POST["email"]:$object->email).'"></td></tr>';
+		print '<tr><td>'.($conf->global->ADHERENT_MAIL_REQUIRED?'<span class="fieldrequired">':'').$langs->trans("EMail").($conf->global->ADHERENT_MAIL_REQUIRED?'</span>':'').'</td><td><input type="text" name="email" size="40" value="'.(isset($_POST["email"])?GETPOST("email",'',2):$object->email).'"></td></tr>';
 
 		// Password
 		if (empty($conf->global->ADHERENT_LOGIN_NOT_REQUIRED))
 		{
-			print '<tr><td class="fieldrequired">'.$langs->trans("Password").'</td><td><input type="password" name="pass" size="30" value="'.(isset($_POST["pass"])?$_POST["pass"]:$object->pass).'"></td></tr>';
+			print '<tr><td class="fieldrequired">'.$langs->trans("Password").'</td><td><input type="password" name="pass" class="maxwdith200" value="'.(isset($_POST["pass"])?GETPOST("pass",'',2):$object->pass).'"></td></tr>';
 		}
 
 		// Address
 		print '<tr><td>'.$langs->trans("Address").'</td><td>';
-		print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="2">'.(isset($_POST["address"])?$_POST["address"]:$object->address).'</textarea>';
+		print '<textarea name="address" wrap="soft" class="quatrevingtpercent" rows="2">'.(isset($_POST["address"])?GETPOST("address",'',2):$object->address).'</textarea>';
 		print '</td></tr>';
 
 		// Zip / Town
 		print '<tr><td>'.$langs->trans("Zip").' / '.$langs->trans("Town").'</td><td>';
-		print $formcompany->select_ziptown((isset($_POST["zipcode"])?$_POST["zipcode"]:$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6);
+		print $formcompany->select_ziptown((isset($_POST["zipcode"])?GETPOST("zipcode",'',2):$object->zip),'zipcode',array('town','selectcountry_id','state_id'),6);
 		print ' ';
-		print $formcompany->select_ziptown((isset($_POST["town"])?$_POST["town"]:$object->town),'town',array('zipcode','selectcountry_id','state_id'));
+		print $formcompany->select_ziptown((isset($_POST["town"])?GETPOST("town",'',2):$object->town),'town',array('zipcode','selectcountry_id','state_id'));
 		print '</td></tr>';
 
 		// Country
@@ -1153,23 +1153,23 @@ else
 		if (empty($conf->global->MEMBER_DISABLE_STATE))
 		{
 			print '<tr><td>'.$langs->trans('State').'</td><td>';
-			print $formcompany->select_state($object->state_id,isset($_POST["country_id"])?$_POST["country_id"]:$object->country_id);
+			print $formcompany->select_state($object->state_id,isset($_POST["country_id"])?GETPOST("country_id"):$object->country_id);
 			print '</td></tr>';
 		}
 
 		// Pro phone
-		print '<tr><td>'.$langs->trans("PhonePro").'</td><td><input type="text" name="phone" size="20" value="'.(isset($_POST["phone"])?$_POST["phone"]:$object->phone).'"></td></tr>';
+		print '<tr><td>'.$langs->trans("PhonePro").'</td><td><input type="text" name="phone" size="20" value="'.(isset($_POST["phone"])?GETPOST("phone"):$object->phone).'"></td></tr>';
 
 		// Personal phone
-		print '<tr><td>'.$langs->trans("PhonePerso").'</td><td><input type="text" name="phone_perso" size="20" value="'.(isset($_POST["phone_perso"])?$_POST["phone_perso"]:$object->phone_perso).'"></td></tr>';
+		print '<tr><td>'.$langs->trans("PhonePerso").'</td><td><input type="text" name="phone_perso" size="20" value="'.(isset($_POST["phone_perso"])?GETPOST("phone_perso"):$object->phone_perso).'"></td></tr>';
 
 		// Mobile phone
-		print '<tr><td>'.$langs->trans("PhoneMobile").'</td><td><input type="text" name="phone_mobile" size="20" value="'.(isset($_POST["phone_mobile"])?$_POST["phone_mobile"]:$object->phone_mobile).'"></td></tr>';
+		print '<tr><td>'.$langs->trans("PhoneMobile").'</td><td><input type="text" name="phone_mobile" size="20" value="'.(isset($_POST["phone_mobile"])?GETPOST("hone_mobile"):$object->phone_mobile).'"></td></tr>';
 
 	    // Skype
 	    if (! empty($conf->skype->enabled))
 	    {
-			    print '<tr><td>'.$langs->trans("Skype").'</td><td><input type="text" name="skype" size="40" value="'.(isset($_POST["skype"])?$_POST["skype"]:$object->skype).'"></td></tr>';
+			    print '<tr><td>'.$langs->trans("Skype").'</td><td><input type="text" name="skype" size="40" value="'.(isset($_POST["skype"])?GETPOST("skype"):$object->skype).'"></td></tr>';
 	    }
 
 		// Birthday
@@ -1179,7 +1179,7 @@ else
 
 		// Public profil
 		print "<tr><td>".$langs->trans("Public")."</td><td>\n";
-		print $form->selectyesno("public",(isset($_POST["public"])?$_POST["public"]:$object->public),1);
+		print $form->selectyesno("public",(isset($_POST["public"])?GETPOST("public",'',2):$object->public),1);
 		print "</td></tr>\n";
 
 		// Categories
diff --git a/htdocs/admin/menus/index.php b/htdocs/admin/menus/index.php
index c8b7b469bd2..acfa9d2dccd 100644
--- a/htdocs/admin/menus/index.php
+++ b/htdocs/admin/menus/index.php
@@ -71,7 +71,7 @@ if ($action == 'up')
 	// Get current position
 	$sql = "SELECT m.rowid, m.position, m.type, m.fk_menu";
 	$sql.= " FROM ".MAIN_DB_PREFIX."menu as m";
-	$sql.= " WHERE m.rowid = ".$_GET["menuId"];
+	$sql.= " WHERE m.rowid = ".GETPOST("menuId","int");
 	dol_syslog("admin/menus/index.php ".$sql);
 	$result = $db->query($sql);
 	$num = $db->num_rows($result);
@@ -89,11 +89,11 @@ if ($action == 'up')
 	// Menu before
 	$sql = "SELECT m.rowid, m.position";
 	$sql.= " FROM ".MAIN_DB_PREFIX."menu as m";
-	$sql.= " WHERE (m.position < ".($current['order'])." OR (m.position = ".($current['order'])." AND rowid < ".$_GET["menuId"]."))";
-	$sql.= " AND m.menu_handler='".$menu_handler_to_search."'";
+	$sql.= " WHERE (m.position < ".($current['order'])." OR (m.position = ".($current['order'])." AND rowid < ".GETPOST("menuId","int")."))";
+	$sql.= " AND m.menu_handler='".$db->escape($menu_handler_to_search)."'";
 	$sql.= " AND m.entity = ".$conf->entity;
-	$sql.= " AND m.type = '".$current['type']."'";
-	$sql.= " AND m.fk_menu = '".$current['fk_menu']."'";
+	$sql.= " AND m.type = '".$db->escape($current['type'])."'";
+	$sql.= " AND m.fk_menu = '".$db->escape($current['fk_menu'])."'";
 	$sql.= " ORDER BY m.position, m.rowid";
 	dol_syslog("admin/menus/index.php ".$sql);
 	$result = $db->query($sql);
@@ -127,7 +127,7 @@ elseif ($action == 'down')
 	// Get current position
 	$sql = "SELECT m.rowid, m.position, m.type, m.fk_menu";
 	$sql.= " FROM ".MAIN_DB_PREFIX."menu as m";
-	$sql.= " WHERE m.rowid = ".$_GET["menuId"];
+	$sql.= " WHERE m.rowid = ".GETPOST("menuId","int");
 	dol_syslog("admin/menus/index.php ".$sql);
 	$result = $db->query($sql);
 	$num = $db->num_rows($result);
@@ -145,11 +145,11 @@ elseif ($action == 'down')
 	// Menu after
 	$sql = "SELECT m.rowid, m.position";
 	$sql.= " FROM ".MAIN_DB_PREFIX."menu as m";
-	$sql.= " WHERE (m.position > ".($current['order'])." OR (m.position = ".($current['order'])." AND rowid > ".$_GET["menuId"]."))";
-	$sql.= " AND m.menu_handler='".$menu_handler_to_search."'";
+	$sql.= " WHERE (m.position > ".($current['order'])." OR (m.position = ".($current['order'])." AND rowid > ".GETPOST("menuId","int")."))";
+	$sql.= " AND m.menu_handler='".$db->escape($menu_handler_to_search)."'";
 	$sql.= " AND m.entity = ".$conf->entity;
-	$sql.= " AND m.type = '".$current['type']."'";
-	$sql.= " AND m.fk_menu = '".$current['fk_menu']."'";
+	$sql.= " AND m.type = '".$db->escape($current['type'])."'";
+	$sql.= " AND m.fk_menu = '".$db->escape($current['fk_menu'])."'";
 	$sql.= " ORDER BY m.position, m.rowid";
 	dol_syslog("admin/menus/index.php ".$sql);
 	$result = $db->query($sql);
@@ -180,7 +180,7 @@ elseif ($action == 'confirm_delete' && $confirm == 'yes')
 	$db->begin();
 
 	$sql = "DELETE FROM ".MAIN_DB_PREFIX."menu";
-	$sql.= " WHERE rowid = ".$_GET['menuId'];
+	$sql.= " WHERE rowid = ".GETPOST('menuId','int');
 	$resql=$db->query($sql);
 	if ($resql)
 	{
@@ -245,11 +245,11 @@ if ($action == 'delete')
 {
 	$sql = "SELECT m.titre";
 	$sql.= " FROM ".MAIN_DB_PREFIX."menu as m";
-	$sql.= " WHERE m.rowid = ".$_GET['menuId'];
+	$sql.= " WHERE m.rowid = ".GETPOST('menuId','int');
 	$result = $db->query($sql);
 	$obj = $db->fetch_object($result);
 
-    print $form->formconfirm("index.php?menu_handler=".$menu_handler."&menuId=".$_GET['menuId'],$langs->trans("DeleteMenu"),$langs->trans("ConfirmDeleteMenu",$obj->titre),"confirm_delete");
+    print $form->formconfirm("index.php?menu_handler=".$menu_handler."&menuId=".GETPOST('menuId','int'),$langs->trans("DeleteMenu"),$langs->trans("ConfirmDeleteMenu",$obj->titre),"confirm_delete");
 }
 
 
@@ -298,7 +298,7 @@ if ($conf->use_javascript_ajax)
 
 	$sql = "SELECT m.rowid, m.titre, m.langs, m.mainmenu, m.leftmenu, m.fk_menu, m.fk_mainmenu, m.fk_leftmenu, m.module";
 	$sql.= " FROM ".MAIN_DB_PREFIX."menu as m";
-	$sql.= " WHERE menu_handler = '".$menu_handler_to_search."'";
+	$sql.= " WHERE menu_handler = '".$db->escape($menu_handler_to_search)."'";
 	$sql.= " AND entity = ".$conf->entity;
 	//$sql.= " AND fk_menu >= 0";
 	$sql.= " ORDER BY m.position, m.rowid";		// Order is position then rowid (because we need a sort criteria when position is same)
diff --git a/htdocs/admin/perms.php b/htdocs/admin/perms.php
index 8ce7e046186..e023af90067 100644
--- a/htdocs/admin/perms.php
+++ b/htdocs/admin/perms.php
@@ -44,7 +44,7 @@ if (!$user->admin) accessforbidden();
 if ($action == 'add')
 {
     $sql = "UPDATE ".MAIN_DB_PREFIX."rights_def SET bydefault=1";
-    $sql.= " WHERE id = ".$_GET["pid"];
+    $sql.= " WHERE id = ".GETPOST("pid",'int');
     $sql.= " AND entity = ".$conf->entity;
     $db->query($sql);
 }
@@ -52,7 +52,7 @@ if ($action == 'add')
 if ($action == 'remove')
 {
     $sql = "UPDATE ".MAIN_DB_PREFIX."rights_def SET bydefault=0";
-    $sql.= " WHERE id = ".$_GET["pid"];
+    $sql.= " WHERE id = ".GETPOST('pid','int');
     $sql.= " AND entity = ".$conf->entity;
     $db->query($sql);
 }
diff --git a/htdocs/bookmarks/card.php b/htdocs/bookmarks/card.php
index 67e01bcb773..bef65d409a3 100644
--- a/htdocs/bookmarks/card.php
+++ b/htdocs/bookmarks/card.php
@@ -69,7 +69,7 @@ if ($action == 'add' || $action == 'addproduct' || $action == 'update')
 		exit;
 	}
 
-	if ($action == 'update') $bookmark->fetch($_POST["id"]);
+	if ($action == 'update') $bookmark->fetch(GETPOST("id",'int'));
 	// Check if null because user not admin can't set an user and send empty value here.
 	if(!empty($userid))
 		$bookmark->fk_user=$userid;
@@ -217,7 +217,7 @@ if ($id > 0 && ! preg_match('/^add/i',$action))
 
 	print '<table class="border" width="100%">';
 
-	print '<tr><td width="25%">'.$langs->trans("Ref").'</td><td>'.$bookmark->ref.'</td></tr>';
+	print '<tr><td class="titlefield">'.$langs->trans("Ref").'</td><td>'.$bookmark->ref.'</td></tr>';
 
 	print '<tr><td>';
 	if ($action == 'edit') {
@@ -231,7 +231,7 @@ if ($id > 0 && ! preg_match('/^add/i',$action))
 	}
 
 	print '</td><td>';
-	if ($action == 'edit') print '<input class="flat" name="title" size="30" value="'.(isset($_POST["title"])?$_POST["title"]:$bookmark->title).'">';
+	if ($action == 'edit') print '<input class="flat minwidth200" name="title" value="'.(isset($_POST["title"])?GETPOST("title",'',2):$bookmark->title).'">';
 	else print $bookmark->title;
 	print '</td></tr>';
 
@@ -301,6 +301,8 @@ if ($id > 0 && ! preg_match('/^add/i',$action))
 	}
 
 
+	// Buttons
+	
 	print "<div class=\"tabsAction\">\n";
 
 	// Edit
diff --git a/htdocs/cashdesk/tpl/validation2.tpl.php b/htdocs/cashdesk/tpl/validation2.tpl.php
index 7bc7999d377..b74f5afdd52 100644
--- a/htdocs/cashdesk/tpl/validation2.tpl.php
+++ b/htdocs/cashdesk/tpl/validation2.tpl.php
@@ -33,7 +33,7 @@ $langs->load("bills");
 		largeur = 600;
 		hauteur = 500;
 		opt = 'width='+largeur+', height='+hauteur+', left='+(screen.width - largeur)/2+', top='+(screen.height-hauteur)/2+'';
-		window.open('validation_ticket.php?facid=<?php echo $_GET['facid']; ?>', '<?php echo $langs->trans('PrintTicket') ?>', opt);
+		window.open('validation_ticket.php?facid=<?php echo GETPOST('facid','int'); ?>', '<?php echo $langs->trans('PrintTicket') ?>', opt);
 	}
 
 	popupTicket();
diff --git a/htdocs/comm/contact.php b/htdocs/comm/contact.php
index c7690e7e16f..7b71e3ade9c 100644
--- a/htdocs/comm/contact.php
+++ b/htdocs/comm/contact.php
@@ -125,6 +125,8 @@ if ($resql)
 	$title = (! empty($conf->global->SOCIETE_ADDRESSES_MANAGEMENT) ? $langs->trans("ListOfContacts") : $langs->trans("ListOfContactsAddresses"));
 	print_barre_liste($title.($label?" (".$label.")":""),$page, $_SERVER["PHP_SELF"], $param,$sortfield,$sortorder,"",$num);
 
+	print '<form action="'.$_SERVER["PHP_SELF"].'?type='.GETPOST("type", "alpha").'" method="GET">';
+	
 	print '<table class="liste" width="100%">';
 	print '<tr class="liste_titre">';
 	print_liste_field_titre($langs->trans("Lastname"),$_SERVER["PHP_SELF"],"p.name", $begin, $param,"",$sortfield,$sortorder);
@@ -134,7 +136,6 @@ if ($resql)
 	print_liste_field_titre($langs->trans("Phone"));
 	print "</tr>\n";
 
-	print '<form action="'.$_SERVER["PHP_SELF"].'?type='.$_GET["type"].'" method="GET">';
 	print '<tr class="liste_titre">';
 	print '<td class="liste_titre"><input class="flat" name="search_lastname" size="12" value="'.$search_lastname.'"></td>';
 	print '<td class="liste_titre"><input class="flat" name="search_firstname" size="12"  value="'.$search_firstname.'"></td>';
@@ -142,7 +143,6 @@ if ($resql)
 	print '<td class="liste_titre">&nbsp;</td>';
 	print '<td class="liste_titre" align="right"><input type="image" class="liste_titre" src="'.img_picto($langs->trans("Search"),'search.png','','',1).'" value="'.dol_escape_htmltag($langs->trans("Search")).'" title="'.dol_escape_htmltag($langs->trans("Search")).'"></td>';
 	print "</tr>\n";
-	print '</form>';
 
 	$var=True;
 	$i = 0;
@@ -167,7 +167,10 @@ if ($resql)
 		print "</tr>\n";
 		$i++;
 	}
-	print "</table></p>";
+	print "</table>";
+	
+	print '</form>';
+	
 	$db->free($resql);
 }
 else
diff --git a/htdocs/comm/remx.php b/htdocs/comm/remx.php
index 5cc7fcedf4d..575a55e435f 100644
--- a/htdocs/comm/remx.php
+++ b/htdocs/comm/remx.php
@@ -283,14 +283,14 @@ if ($socid > 0)
     	print '<div class="underbanner clearboth"></div>';
     	print '<table class="border" width="100%">';
     	print '<tr><td class="titlefield fieldrequired">'.$langs->trans("AmountHT").'</td>';
-    	print '<td><input type="text" size="5" name="amount_ht" value="'.$_POST["amount_ht"].'">';
+    	print '<td><input type="text" size="5" name="amount_ht" value="'.price2num(GETPOST("amount_ht")).'">';
     	print '<span class="hideonsmartphone">&nbsp;'.$langs->trans("Currency".$conf->currency).'</span></td></tr>';
     	print '<tr><td>'.$langs->trans("VAT").'</td>';
     	print '<td>';
     	print $form->load_tva('tva_tx',GETPOST('tva_tx'),$mysoc,$object);
     	print '</td></tr>';
     	print '<tr><td class="fieldrequired" >'.$langs->trans("NoteReason").'</td>';
-    	print '<td><input type="text" size="60" name="desc" value="'.GETPOST('desc').'"></td></tr>';
+    	print '<td><input type="text" class="quatrevingtpercent" name="desc" value="'.GETPOST('desc').'"></td></tr>';
     
     	print "</table>";
 	}
diff --git a/htdocs/commande/customer.php b/htdocs/commande/customer.php
index 391962c98cb..8190367a06a 100644
--- a/htdocs/commande/customer.php
+++ b/htdocs/commande/customer.php
@@ -44,11 +44,13 @@ accessforbidden();
 
 $langs->load("companies");
 $langs->load("orders");
+
+$limit = GETPOST("limit")?GETPOST("limit","int"):$conf->liste_limit;
 $sortfield = GETPOST("sortfield",'alpha');
 $sortorder = GETPOST("sortorder",'alpha');
 $page = GETPOST("page",'int');
 if ($page == -1) { $page = 0; }
-$offset = $conf->liste_limit * $page;
+$offset = $limit * $page;
 $pageprev = $page - 1;
 $pagenext = $page + 1;
 if (! $sortorder) $sortorder="ASC";
@@ -77,32 +79,32 @@ $sql.= " AND s.entity IN (".getEntity('societe', 1).")";
 if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
 if (dol_strlen($stcomm))
 {
-	$sql.= " AND s.fk_stcomm=$stcomm";
-}
-
-if ($_GET["search_nom"])
-{
-	$sql.= " AND s.nom like '%".$db->escape(strtolower($_GET["search_nom"]))."%'";
-}
-if ($_GET["search_compta"])
-{
-	$sql.= " AND s.code_compta like '%".$db->escape($_GET["search_compta"])."%'";
-}
-if ($_GET["search_code_client"])
-{
-	$sql.= " AND s.code_client like '%".$db->escape($_GET["search_code_client"])."%'";
+	$sql.= " AND s.fk_stcomm=".$stcomm;
 }
+if (GETPOST("search_nom"))  $sql.= natural_search("s.nom", GETPOST("search_nom"));
+if (GETPOST("search_compta")) $sql.= natural_search("s.code_compta", GETPOST("search_compta"));
+if (GETPOST("search_code_client")) $sql.= natural_search("s.code_client", GETPOST("search_code_client"));
 if (dol_strlen($begin))
 {
 	$sql.= " AND s.nom like '".$db->escape($begin)."'";
 }
-if ($socid)
+if ($socid > 0)
 {
 	$sql.= " AND s.rowid = ".$socid;
 }
 $sql.= " AND c.fk_statut in (1, 2) AND c.facture = 0";
 $sql.= " GROUP BY s.nom";
-$sql.= " ORDER BY $sortfield $sortorder " . $db->plimit($conf->liste_limit+1, $offset);
+$sql.= $db->order($sortfield,$sortorder);
+
+// Count total nb of records
+$nbtotalofrecords = -1;
+if (empty($conf->global->MAIN_DISABLE_FULL_SCANLIST))
+{
+	$result = $db->query($sql);
+	$nbtotalofrecords = $db->num_rows($result);
+}
+
+$sql.= $db->plimit($limit + 1, $offset);
 //print $sql;
 
 $resql = $db->query($sql);
@@ -129,26 +131,27 @@ if ($resql)
 	print '<tr class="liste_titre">';
 
 	print '<td align="left" class="liste_titre">';
-	print '<input class="flat" type="text" name="search_nom" value="'.$_GET["search_nom"].'"></td>';
+	print '<input class="flat" type="text" name="search_nom" value="'.dol_escape_htmltag(GETPOST("search_nom")).'"></td>';
 
 	print '<td class="liste_titre">&nbsp;</td>';
 
 	print '<td align="left" class="liste_titre">';
-	print '<input class="flat" type="text" size="10" name="search_code_client" value="'.$_GET["search_code_client"].'">';
+	print '<input class="flat" type="text" size="10" name="search_code_client" value="'.dol_escape_htmltag(GETPOST("search_code_client")).'">';
 	print '</td>';
 
 	print '<td align="left" class="liste_titre">';
-	print '<input class="flat" type="text" size="10" name="search_compta" value="'.$_GET["search_compta"].'">';
+	print '<input class="flat" type="text" size="10" name="search_compta" value="'.dol_escape_htmltag(GETPOST("search_compta")).'">';
 	print '</td>';
 
 	print '<td align="right" colspan="2" class="liste_titre">';
 	print '<input type="image" class="liste_titre" src="'.img_picto($langs->trans("Search"),'search.png','','',1).'" name="button_search" value="'.dol_escape_htmltag($langs->trans("Search")).'" title="'.dol_escape_htmltag($langs->trans("Search")).'">';
 	print '</td>';
+	
 	print "</tr>\n";
 
 	$var=true;
 
-	while ($i < min($num,$conf->liste_limit))
+	while ($i < min($num,$limit))
 	{
 		$obj = $db->fetch_object($resql);
 
diff --git a/htdocs/commande/orderstoinvoice.php b/htdocs/commande/orderstoinvoice.php
index f9767c74695..74861d3ee67 100644
--- a/htdocs/commande/orderstoinvoice.php
+++ b/htdocs/commande/orderstoinvoice.php
@@ -46,7 +46,7 @@ $langs->load('companies');
 if (! $user->rights->facture->creer)
 	accessforbidden();
 
-$id				= (GETPOST('id')?GETPOST('id','int'):GETPOST("facid"));  // For backward compatibility
+$id				= (GETPOST('id')?GETPOST('id','int'):GETPOST("facid","int"));  // For backward compatibility
 $ref			= GETPOST('ref','alpha');
 $action			= GETPOST('action','alpha');
 $confirm		= GETPOST('confirm','alpha');
@@ -112,7 +112,7 @@ if (($action == 'create' || $action == 'add') && !$error)
 	$langs->load('main');
 	if (isset($_GET['orders_to_invoice']))
 	{
-		$orders_id = $_GET['orders_to_invoice'];
+		$orders_id = GETPOST('orders_to_invoice','',1);
 		$n        = count($orders_id);
 		$i        = 0;
 
@@ -122,7 +122,7 @@ if (($action == 'create' || $action == 'add') && !$error)
 	}
 	if (isset($_POST['orders_to_invoice']))
 	{
-		$orders_id = $_POST['orders_to_invoice'];
+		$orders_id = GETPOST('orders_to_invoice','',1);
 		$nn        = count($orders_id);
 		$ii        = 0;
 
diff --git a/htdocs/compta/localtax/reglement.php b/htdocs/compta/localtax/reglement.php
index 54530b14443..df96d0b7d67 100644
--- a/htdocs/compta/localtax/reglement.php
+++ b/htdocs/compta/localtax/reglement.php
@@ -31,7 +31,7 @@ $langs->load("compta");
 $socid = isset($_GET["socid"])?$_GET["socid"]:'';
 if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user, 'tax', '', '', 'charges');
-$ltt=$_REQUEST["localTaxType"];
+$ltt=GETPOST("localTaxType");
 
 /*
  * View
@@ -45,7 +45,7 @@ print load_fiche_titre($langs->transcountry($ltt==2?"LT2Payments":"LT1Payments",
 
 $sql = "SELECT rowid, amount, label, f.datev as dm";
 $sql.= " FROM ".MAIN_DB_PREFIX."localtax as f ";
-$sql.= " WHERE f.entity = ".$conf->entity." AND localtaxtype=".$ltt;
+$sql.= " WHERE f.entity = ".$conf->entity." AND localtaxtype=".$db->escape($ltt);
 $sql.= " ORDER BY dm DESC";
 
 $result = $db->query($sql);
diff --git a/htdocs/compta/tva/quadri_detail.php b/htdocs/compta/tva/quadri_detail.php
index 128eb6456f3..e0a19d7a0f3 100644
--- a/htdocs/compta/tva/quadri_detail.php
+++ b/htdocs/compta/tva/quadri_detail.php
@@ -48,7 +48,7 @@ $langs->load("trips");
 $langs->load("other");
 
 // Date range
-$year=GETPOST("year");
+$year=GETPOST("year","int");
 if (empty($year))
 {
 	$year_current = strftime("%Y",dol_now());
@@ -57,15 +57,15 @@ if (empty($year))
 	$year_current = $year;
 	$year_start = $year;
 }
-$date_start=dol_mktime(0,0,0,$_REQUEST["date_startmonth"],$_REQUEST["date_startday"],$_REQUEST["date_startyear"]);
-$date_end=dol_mktime(23,59,59,$_REQUEST["date_endmonth"],$_REQUEST["date_endday"],$_REQUEST["date_endyear"]);
+$date_start=dol_mktime(0,0,0,GETPOST("date_startmonth"),GETPOST("date_startday"),GETPOST("date_startyear"));
+$date_end=dol_mktime(23,59,59,GETPOST("date_endmonth"),GETPOST("date_endday"),GETPOST("date_endyear"));
 // Quarter
 if (empty($date_start) || empty($date_end)) // We define date_start and date_end
 {
 	$q=GETPOST("q");
 	if (empty($q))
 	{
-		if (isset($_REQUEST["month"])) { $date_start=dol_get_first_day($year_start,$_REQUEST["month"],false); $date_end=dol_get_last_day($year_start,$_REQUEST["month"],false); }
+		if (GETPOST("month")) { $date_start=dol_get_first_day($year_start,GETPOST("month"),false); $date_end=dol_get_last_day($year_start,GETPOST("month"),false); }
 		else
 		{
             $month_current = strftime("%m",dol_now());
diff --git a/htdocs/core/class/html.formsms.class.php b/htdocs/core/class/html.formsms.class.php
index b2802f91c09..9412582599d 100644
--- a/htdocs/core/class/html.formsms.class.php
+++ b/htdocs/core/class/html.formsms.class.php
@@ -255,7 +255,7 @@ function limitChars(textarea, limit, infodiv)
             }
             else
             {
-                print "<input size=\"16\" id=\"sendto\" name=\"sendto\" value=\"".(! is_array($this->withto) && $this->withto != '1'? (isset($_REQUEST["sendto"])?$_REQUEST["sendto"]:$this->withto):"+")."\">";
+                print "<input size=\"16\" id=\"sendto\" name=\"sendto\" value=\"".dol_escape_htmltag(! is_array($this->withto) && $this->withto != '1'? (isset($_REQUEST["sendto"])?GETPOST("sendto"):$this->withto):"+")."\">";
                 if (! empty($this->withtosocid) && $this->withtosocid > 0)
                 {
                     $liste=array();
@@ -290,11 +290,11 @@ function limitChars(textarea, limit, infodiv)
             if ($this->withbodyreadonly)
             {
                 print nl2br($defaultmessage);
-                print '<input type="hidden" name="message" value="'.$defaultmessage.'">';
+                print '<input type="hidden" name="message" value="'.dol_escape_htmltag($defaultmessage).'">';
             }
             else
             {
-                print '<textarea cols="40" name="message" id="message" rows="4" onkeyup="limitChars(this, 160, \'charlimitinfospan\')">'.$defaultmessage.'</textarea>';
+                print '<textarea class="quatrevingtpercent" name="message" id="message" rows="'.ROWS_4.'" onkeyup="limitChars(this, 160, \'charlimitinfospan\')">'.$defaultmessage.'</textarea>';
                 print '<div id="charlimitinfo">'.$langs->trans("SmsInfoCharRemain").': <span id="charlimitinfospan">'.(160-dol_strlen($defaultmessage)).'</span></div></td>';
             }
             print "</td></tr>\n";
diff --git a/htdocs/core/datepicker.php b/htdocs/core/datepicker.php
index 63b765fbadb..eeb20ee265c 100644
--- a/htdocs/core/datepicker.php
+++ b/htdocs/core/datepicker.php
@@ -108,7 +108,7 @@ if (isset($_GET["m"]) && isset($_GET["y"]))
 if ($qualified)
 {
 	//print $_GET["cm"].",".$_GET["sd"].",".$_GET["m"].",".$_GET["y"];exit;
-	displayBox($_GET["sd"],$_GET["m"],$_GET["y"]);
+	displayBox(GETPOST("sd",'alpha'),GETPOST("m",'int'),GETPOST("y",'int'));
 }
 else
 {
diff --git a/htdocs/core/filemanagerdol/connectors/php/io.php b/htdocs/core/filemanagerdol/connectors/php/io.php
index 731509b6e10..77c8c3ec253 100644
--- a/htdocs/core/filemanagerdol/connectors/php/io.php
+++ b/htdocs/core/filemanagerdol/connectors/php/io.php
@@ -44,7 +44,7 @@ function GetResourceTypePath($resourceType, $sCommand)
 {
 	global $Config ;
 
-	if ( $sCommand == "QuickUpload")
+	if ($sCommand == "QuickUpload")
 		return $Config['QuickUploadPath'][$resourceType] ;
 	else
 		return $Config['FileTypesPath'][$resourceType] ;
@@ -60,7 +60,7 @@ function GetResourceTypePath($resourceType, $sCommand)
 function GetResourceTypeDirectory($resourceType, $sCommand)
 {
 	global $Config ;
-	if ( $sCommand == "QuickUpload")
+	if ($sCommand == "QuickUpload")
 	{
 		if ( strlen($Config['QuickUploadAbsolutePath'][$resourceType]) > 0)
 			return $Config['QuickUploadAbsolutePath'][$resourceType] ;
@@ -299,7 +299,7 @@ function IsAllowedCommand($sCommand)
 {
 	global $Config ;
 
-	if ( !in_array($sCommand, $Config['ConfigAllowedCommands']))
+	if (! in_array($sCommand, $Config['ConfigAllowedCommands']))
 		return false ;
 
 	return true ;
@@ -315,7 +315,7 @@ function GetCurrentFolder()
 	if (!isset($_GET)) {
 		global $_GET;
 	}
-	$sCurrentFolder	= isset( $_GET['CurrentFolder'] ) ? $_GET['CurrentFolder'] : '/' ;
+	$sCurrentFolder	= isset( $_GET['CurrentFolder'] ) ? GETPOST('CurrentFolder', '', 1) : '/' ;
 
 	// Check the current folder syntax (must begin and start with a slash).
 	if (!preg_match('|/$|', $sCurrentFolder))
diff --git a/htdocs/core/photos_resize.php b/htdocs/core/photos_resize.php
index 2ef81d6e8df..ae73347edfa 100644
--- a/htdocs/core/photos_resize.php
+++ b/htdocs/core/photos_resize.php
@@ -34,7 +34,7 @@ $langs->load("other");
 $id=GETPOST('id','int');
 $action=GETPOST('action','alpha');
 $modulepart=GETPOST('modulepart','alpha')?GETPOST('modulepart','alpha'):'produit|service';
-$original_file = isset($_REQUEST["file"])?urldecode($_REQUEST["file"]):'';
+$original_file = GETPOST("file");
 $backtourl=GETPOST('backtourl');
 $cancel=GETPOST("cancel");
 
diff --git a/htdocs/core/tpl/objectline_create.tpl.php b/htdocs/core/tpl/objectline_create.tpl.php
index c87a243a1c3..30027560140 100644
--- a/htdocs/core/tpl/objectline_create.tpl.php
+++ b/htdocs/core/tpl/objectline_create.tpl.php
@@ -153,7 +153,7 @@ else {
 		}
 	}
 
-	echo $form->select_type_of_lines(isset($_POST["type"])?$_POST["type"]:-1,'type',1,1,$forceall);
+	echo $form->select_type_of_lines(isset($_POST["type"])?GETPOST("type",'alpha',2):-1,'type',1,1,$forceall);
 
 	echo '</span>';
 
@@ -253,25 +253,25 @@ else {
 
 	<td class="nobottom linecolvat" align="right"><?php
 	if ($seller->tva_assuj == "0") echo '<input type="hidden" name="tva_tx" id="tva_tx" value="0">'.vatrate(0, true);
-	else echo $form->load_tva('tva_tx', (isset($_POST["tva_tx"])?$_POST["tva_tx"]:-1), $seller, $buyer, 0, 0, '', false, 1);
+	else echo $form->load_tva('tva_tx', (isset($_POST["tva_tx"])?GETPOST("tva_tx",'alpha',2):-1), $seller, $buyer, 0, 0, '', false, 1);
 	?>
 	</td>
 	<td class="nobottom linecoluht" align="right">
-	<input type="text" size="5" name="price_ht" id="price_ht" class="flat" value="<?php echo (isset($_POST["price_ht"])?$_POST["price_ht"]:''); ?>">
+	<input type="text" size="5" name="price_ht" id="price_ht" class="flat" value="<?php echo (isset($_POST["price_ht"])?GETPOST("price_ht",'alpha',2):''); ?>">
 	</td>
 	
 	<?php if (!empty($conf->multicurrency->enabled)) { $colspan++;?>
 	<td class="nobottom linecoluht_currency" align="right">
-	<input type="text" size="5" name="multicurrency_price_ht" id="multicurrency_price_ht" class="flat" value="<?php echo (isset($_POST["multicurrency_price_ht"])?$_POST["multicurrency_price_ht"]:''); ?>">
+	<input type="text" size="5" name="multicurrency_price_ht" id="multicurrency_price_ht" class="flat" value="<?php echo (isset($_POST["multicurrency_price_ht"])?GETPOST("multicurrency_price_ht",'alpha',2):''); ?>">
 	</td>
 	<?php } ?>
 	
 	<?php if (! empty($inputalsopricewithtax)) { ?>
 	<td class="nobottom linecoluttc" align="right">
-	<input type="text" size="5" name="price_ttc" id="price_ttc" class="flat" value="<?php echo (isset($_POST["price_ttc"])?$_POST["price_ttc"]:''); ?>">
+	<input type="text" size="5" name="price_ttc" id="price_ttc" class="flat" value="<?php echo (isset($_POST["price_ttc"])?GETPOST("price_ttc",'alpha',2):''); ?>">
 	</td>
 	<?php } ?>
-	<td class="nobottom linecolqty" align="right"><input type="text" size="2" name="qty" id="qty" class="flat" value="<?php echo (isset($_POST["qty"])?$_POST["qty"]:1); ?>">
+	<td class="nobottom linecolqty" align="right"><input type="text" size="2" name="qty" id="qty" class="flat" value="<?php echo (isset($_POST["qty"])?GETPOST("qty",'alpha',2):1); ?>">
 	</td>
 	<?php
 	if($conf->global->PRODUCT_USE_UNITS)
@@ -281,7 +281,7 @@ else {
 		print '</td>';
 	}
 	?>
-	<td class="nobottom nowrap linecoldiscount" align="right"><input type="text" size="1" name="remise_percent" id="remise_percent" class="flat" value="<?php echo (isset($_POST["remise_percent"])?$_POST["remise_percent"]:$buyer->remise_percent); ?>"><span class="hideonsmartphone">%</span></td>
+	<td class="nobottom nowrap linecoldiscount" align="right"><input type="text" size="1" name="remise_percent" id="remise_percent" class="flat" value="<?php echo (isset($_POST["remise_percent"])?GETPOST("remise_percent",'alpha',2):$buyer->remise_percent); ?>"><span class="hideonsmartphone">%</span></td>
 	<?php
 	if ($this->situation_cycle_ref) {
 		$coldisplay++;
@@ -296,7 +296,7 @@ else {
 			<select id="fournprice_predef" name="fournprice_predef" class="flat" data-role="none" style="display: none;"></select>
 			<?php } ?>
 			<!-- For free product -->
-			<input type="text" size="5" id="buying_price" name="buying_price" class="flat" value="<?php echo (isset($_POST["buying_price"])?$_POST["buying_price"]:''); ?>">
+			<input type="text" size="5" id="buying_price" name="buying_price" class="flat" value="<?php echo (isset($_POST["buying_price"])?GETPOST("buying_price",'alpha',2):''); ?>">
 		</td>
 		<?php
 
@@ -305,12 +305,12 @@ else {
 		{
 			if (! empty($conf->global->DISPLAY_MARGIN_RATES))
 			{
-				echo '<td align="right" class="nobottom nowrap margininfos"><input type="text" size="2" id="np_marginRate" name="np_marginRate" value="'.(isset($_POST["np_marginRate"])?$_POST["np_marginRate"]:'').'"><span class="np_marginRate hideonsmartphone">%</span></td>';
+				echo '<td align="right" class="nobottom nowrap margininfos"><input type="text" size="2" id="np_marginRate" name="np_marginRate" value="'.(isset($_POST["np_marginRate"])?GETPOST("np_marginRate",'alpha',2):'').'"><span class="np_marginRate hideonsmartphone">%</span></td>';
 				$coldisplay++;
 			}
 			if (! empty($conf->global->DISPLAY_MARK_RATES))
 			{
-				echo '<td align="right" class="nobottom nowrap margininfos"><input type="text" size="2" id="np_markRate" name="np_markRate" value="'.(isset($_POST["np_markRate"])?$_POST["np_markRate"]:'').'"><span class="np_markRate hideonsmartphone">%</span></td>';
+				echo '<td align="right" class="nobottom nowrap margininfos"><input type="text" size="2" id="np_markRate" name="np_markRate" value="'.(isset($_POST["np_markRate"])?GETPOST("np_markRate",'alpha',2):'').'"><span class="np_markRate hideonsmartphone">%</span></td>';
 				$coldisplay++;
 			}
 		}
diff --git a/htdocs/core/tpl/objectline_edit.tpl.php b/htdocs/core/tpl/objectline_edit.tpl.php
index 74c6bdd4211..e684e3c2750 100644
--- a/htdocs/core/tpl/objectline_edit.tpl.php
+++ b/htdocs/core/tpl/objectline_edit.tpl.php
@@ -185,7 +185,7 @@ $coldisplay=-1; // We remove first td
 	    <?php if ($user->rights->margins->creer) {
 				if (! empty($conf->global->DISPLAY_MARGIN_RATES))
 				  {
-				    $margin_rate = (isset($_POST["np_marginRate"])?$_POST["np_marginRate"]:(($line->pa_ht == 0)?'':price($line->marge_tx)));
+				    $margin_rate = (isset($_POST["np_marginRate"])?GETPOST("np_marginRate","alpha",2):(($line->pa_ht == 0)?'':price($line->marge_tx)));
 				    // if credit note, dont allow to modify margin
 					if ($line->subprice < 0)
 						echo '<td align="right" class="nowrap margininfos">'.$margin_rate.'<span class="hideonsmartphone">%</span></td>';
@@ -195,7 +195,7 @@ $coldisplay=-1; // We remove first td
 				  }
 				elseif (! empty($conf->global->DISPLAY_MARK_RATES))
 				  {
-				    $mark_rate = (isset($_POST["np_markRate"])?$_POST["np_markRate"]:price($line->marque_tx));
+				    $mark_rate = (isset($_POST["np_markRate"])?GETPOST("np_markRate",'alpha',2):price($line->marque_tx));
 				    // if credit note, dont allow to modify margin
 					if ($line->subprice < 0)
 						echo '<td align="right" class="nowrap margininfos">'.$mark_rate.'<span class="hideonsmartphone">%</span></td>';
diff --git a/htdocs/expensereport/synchro_compta.php b/htdocs/expensereport/synchro_compta.php
deleted file mode 100644
index eba616d2620..00000000000
--- a/htdocs/expensereport/synchro_compta.php
+++ /dev/null
@@ -1,216 +0,0 @@
-<?php
-/* Copyright (C) 2015 Laurent Destailleur  <eldy@users.sourceforge.net>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-
-require '../main.inc.php';
-require_once DOL_DOCUMENT_ROOT . '/compta/bank/class/account.class.php';
-require_once DOL_DOCUMENT_ROOT . '/expensereport/class/expensereport.class.php';
-
-$langs->load("companies");
-$langs->load("users");
-$langs->load("trips");
-$langs->load("banks");
-
-$idAccount=isset($_GET["account"])?$_GET["account"]:$_POST["account"];
-
-if ($_GET["action"] == 'confirm_ndf_to_account' && $_GET["confirm"] == "yes"):
-
-	$idTrip 	= $_GET['idTrip'];
-
-	$expensereport = new ExpenseReport($db);
-	$expensereport->fetch($idTrip,$user);
-
-	$dateop 	= dol_mktime(12,0,0,$datePaiement[1],$datePaiement[2],$datePaiement[0]);
-	$operation	= $expensereport->code_paiement;
-	$label		= "Règlement ".$expensereport->ref;
-	$amount 	= - price2num($expensereport->total_ttc);
-	$num_chq	= '';
-	$cat1		= '';
-
-	$user = new User($db);
-	$user->fetch($user->id);
-
-	$acct=new Account($db,$idAccount);
-	$insertid = $acct->addline($dateop, $operation, $label, $amount, $num_chq, $cat1, $user);
-
-	if ($insertid > 0):
-		$sql = " UPDATE ".MAIN_DB_PREFIX."expensereport as d";
-		$sql.= " SET integration_compta = 1, fk_bank_account = $idAccount";
-		$sql.= " WHERE rowid = $idTrip";
-		$resql=$db->query($sql);
-		if($result):
-			Header("Location: ".$_SERVER["PHP_SELF"]."?account=".$idAccount);
-			exit;
-		else:
-			dol_print_error($db);
-		endif;
-	else:
-		dol_print_error($db,$acct->error);
-	endif;
-endif;
-
-if ($_GET["action"] == 'confirm_account_to_ndf' && $_GET["confirm"] == "yes"):
-
-	$idTrip 	= $_GET['idTrip'];
-
-	$expensereport = new ExpenseReport($db);
-	$expensereport->fetch($idTrip,$user);
-
-	$sql = "DELETE FROM ".MAIN_DB_PREFIX."bank";
-	$sql.= " WHERE label LIKE '%".$expensereport->ref."%'";
-	$resql=$db->query($sql);
-	if ($resql > 0):
-		$sql = " UPDATE ".MAIN_DB_PREFIX."expensereport as d";
-		$sql.= " SET integration_compta = 0, fk_bank_account = 0";
-		$sql.= " WHERE rowid = $idTrip";
-		$resql=$db->query($sql);
-		if($result):
-			Header("Location: ".$_SERVER["PHP_SELF"]."?account=".$idAccount);
-			exit;
-		else:
-			dol_print_error($db);
-		endif;
-	else:
-		dol_print_error($db);
-	endif;
-endif;
-
-
-/*
- * Actions
- */
-
-llxHeader();
-
-$html = new Form($db);
-
-$submit = isset($_POST['submit'])?true:false;
-$idAccount=isset($_GET["account"])?$_GET["account"]:$_POST["account"];
-
-print load_fiche_titre($langs->trans("TripSynch"));
-
-
-dol_fiche_head('');
-
-
-if ($_GET["action"] == 'ndfTOaccount'):
-	$idTrip = $_GET['idTrip'];
-	$ret=$html->form_confirm($_SERVER["PHP_SELF"]."?idTrip=".$idTrip."&account=".$idAccount,$langs->trans("ndfToAccount"),$langs->trans("ConfirmNdfToAccount"),"confirm_ndf_to_account","","",1);
-	if ($ret == 'html') print '<br />';
-endif;
-
-if ($_GET["action"] == 'accountTOndf'):
-	$idTrip = $_GET['idTrip'];
-	$ret=$html->form_confirm($_SERVER["PHP_SELF"]."?idTrip=".$idTrip."&account=".$idAccount,$langs->trans("AccountToNdf"),$langs->trans("ConfirmAccountToNdf"),"confirm_account_to_ndf","","",1);
-	if ($ret == 'html') print '<br />';
-endif;
-
-if(empty($submit) && empty($idAccount)):
-
-	print "<form name='add' method=\"post\" action=\"synchro_compta.php\">";
-	print 'Choix du compte&nbsp;&nbsp;';
-	print $html->select_comptes($_POST['account'],'account',0,'',1);
-	print '&nbsp;<input type="submit" name="submit" class="button" value="'.$langs->trans("ViewAccountSynch").'">';
-	print "</form>";
-
-else:
-
-	print "<form name='add' method=\"post\" action=\"synchro_compta.php\">";
-	print 'Choix du compte&nbsp;&nbsp;';
-	print $html->select_comptes($idAccount,'account',0,'',1);
-	print '&nbsp;<input type="submit" class="button" value="'.$langs->trans("ViewAccountSynch").'">';
-	print "</form>";
-
-	$sql = "SELECT d.fk_bank_account, d.ref, d.rowid, d.date_valid, d.fk_user_author, d.total_ttc, d.integration_compta, d.fk_statut";
-	$sql.= " ,CONCAT(u.firstname,' ',u.lastname) as declarant_NDF";
-	$sql.= " FROM ".MAIN_DB_PREFIX."expensereport as d";
-	$sql.= " INNER JOIN ".MAIN_DB_PREFIX."user as u ON d.fk_user_author = u.rowid";
-	$sql.= " WHERE d.fk_statut = 6";
-    $sql.= ' AND d.entity IN ('.getEntity('expensereport', 1).')';
-	$sql.= " ORDER BY d.date_valid DESC";
-
-	$resql=$db->query($sql);
-	if ($resql):
-	  	$num = $db->num_rows($resql); $i = 0;
-		if($num>0):
-
-			$account=new Account($db);
-			$account->fetch($idAccount);
-
-			print '<br>';
-
-			print "<table class='noborder' width='80%'>";
-				print '<tr class="liste_titre">';
-					print '<td>'.$langs->trans("Ref").'</td>';
-					print '<td>'.$langs->trans("DateValidation").'</td>';
-					print '<td>'.$langs->trans("USER_AUTHOR").'</td>';
-					print '<td align="center">'.$langs->trans("TotalTTC").'</td>';
-					print '<td align="center">Actions</td>';
-					print '<td>Compte</td>';
-					print '<td align="center">Int.</td>';
-				print '</tr>';
-
-				while($i<$num):
-					$objp = $db->fetch_object($resql);
-					$var=!$var;
-						print '<tr'. $bc[$var].'>';
-							print '<td>'.$objp->ref.'</td>';
-							print '<td>'.dol_print_date($db->jdate($objp->date_valid),'day').'</td>';
-							print '<td><a href="'.DOL_URL_ROOT.'/user/card.php?id='.$objp->fk_user_author.'">'.img_object($langs->trans("ShowUser"),"user").' '.$objp->declarant_NDF.'</a></td>';
-							print '<td align="center">'.$objp->total_ttc.' '.$langs->trans("EURO").'</td>';
-
-							if($objp->integration_compta)
-							{
-								print '<td align="center"><a href="synchro_compta.php?action=accountTOndf&idTrip='.$objp->rowid.'&account='.$idAccount.'"><img src="'.DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/1leftarrow.png" style="border:0px;" alt="Compte vers NDF" title="Compte vers NDF"/></a></td>';
-							}
-							else
-							{
-								print '<td align="center"><a href="synchro_compta.php?action=ndfTOaccount&idTrip='.$objp->rowid.'&account='.$idAccount.'"><img src="'.DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/1rightarrow.png" style="border:0px;" alt="NDF vers Compte" title="NDF vers Compte"/></a></td>';
-							}
-
-							print '<td>'.$account->label.'</td>';
-
-							if($objp->integration_compta)
-							{
-								print '<td align="center"><img src="'.DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/tick.png" style="border:0px;" alt="Intégration OK" /></td>';
-							}
-							else
-							{
-								print '<td align="center"><img src="'.DOL_URL_ROOT.'/theme/'.$conf->theme.'/img/off.png" style="border:0px;" alt="Intégration Non OK" /></td>';
-							}
-
-						print "</tr>";
-					$i++;
-				endwhile;
-
-			print "</table>";
-
-		else:
-			print '<div class="error">'.$langs->trans("NoTripToSync").'</div>';
-		endif;
-
-		$db->free($resql);
-	else:
-		dol_print_error($db);
-	endif;
-
-endif;
-
-dol_fiche_end();
-
-llxFooter();
-
-$db->close();
\ No newline at end of file
diff --git a/htdocs/fourn/commande/orderstoinvoice.php b/htdocs/fourn/commande/orderstoinvoice.php
index 89f0a942172..1f87cdf5929 100644
--- a/htdocs/fourn/commande/orderstoinvoice.php
+++ b/htdocs/fourn/commande/orderstoinvoice.php
@@ -108,7 +108,7 @@ if (($action == 'create' || $action == 'add') && ! $error) {
 	$langs->load('products');
 	$langs->load('main');
 	if (isset($_GET['orders_to_invoice'])) {
-		$orders_id = $_GET['orders_to_invoice'];
+		$orders_id = GETPOST('orders_to_invoice','',1);
 		$n = count($orders_id);
 		$i = 0;
 
@@ -116,7 +116,7 @@ if (($action == 'create' || $action == 'add') && ! $error) {
 		$_GET['originid'] = $orders_id[0];
 	}
 	if (isset($_POST['orders_to_invoice'])) {
-		$orders_id = $_POST['orders_to_invoice'];
+		$orders_id = GETPOST('orders_to_invoice','',1);
 		$nn = count($orders_id);
 		$ii = 0;
 
@@ -149,10 +149,10 @@ if (($action == 'create' || $action == 'add') && ! $error) {
 			$datefacture = dol_mktime(date("h"), date("M"), 0, date("m"), date("d"), date("Y"));
 		}
 		if (! $error) {
-			$object->ref = $_POST['ref'];
-			$object->ref_supplier = $_POST['ref_supplier'];
-			$object->socid = $_POST['socid'];
-			$object->libelle = $_POST['libelle'];
+			$object->ref = GETPOST('ref');
+			$object->ref_supplier = GETPOST('ref_supplier');
+			$object->socid = GETPOST('socid','int');
+			$object->libelle = GETPOST('libelle');
 			$object->date = $datefacture;
 			$object->date_echeance = $datedue;
 			$object->note_public = GETPOST('note_public');
@@ -178,7 +178,7 @@ if (($action == 'create' || $action == 'add') && ! $error) {
 					foreach ( $orders_id as $origin => $origin_id ) {
 						$origin_id = (! empty($origin_id) ? $origin_id : $orders_id[$ii]);
 
-						$object->add_object_linked($_POST['origin'], $origin_id);
+						$object->add_object_linked(GETPOST('origin'), $origin_id);
 					}
 
 					while ( $ii < $nn ) {
@@ -321,7 +321,7 @@ if ($action == 'create' && !$error) {
 	print '<tr><td class="fieldrequired">' . $langs->trans('Ref') . '</td><td colspan="2">' . $langs->trans('Draft') . '</td></tr>';
 
 	// Ref supplier
-	print '<tr><td class="fieldrequired">' . $langs->trans('RefSupplier') . '</td><td><input name="ref_supplier" value="' . (isset($_POST['ref_supplier']) ? $_POST['ref_supplier'] : '') . '" type="text"></td>';
+	print '<tr><td class="fieldrequired">' . $langs->trans('RefSupplier') . '</td><td><input name="ref_supplier" value="' . dol_escape_htmltag(isset($_POST['ref_supplier']) ? GETPOST('ref_supplier','alpha', 2) : '') . '" type="text"></td>';
 	print '</tr>';
 
 	// Third party
@@ -387,7 +387,7 @@ if ($action == 'create' && !$error) {
 	print '<tr>';
 	print '<td class="border" valign="top">' . $langs->trans('NotePublic') . '</td>';
 	print '<td valign="top" colspan="2">';
-	print '<textarea name="note_public" wrap="soft" cols="70" rows="' . ROWS_3 . '">';
+	print '<textarea name="note_public" wrap="soft" class="quatrevingtpercent" rows="' . ROWS_3 . '">';
 
 	print $langs->trans("Orders") . ": " . implode(', ', $listoforders);
 
@@ -422,7 +422,7 @@ if ($action == 'create' && !$error) {
 if (($action != 'create' && $action != 'add') && !$error) {
 	llxHeader();
 	?>
-<script type="text/javascript">
+	<script type="text/javascript">
 		jQuery(document).ready(function() {
 		jQuery("#checkall").click(function() {
 			jQuery(".checkformerge").prop('checked', true);
@@ -456,10 +456,10 @@ if (($action != 'create' && $action != 'add') && !$error) {
 	if (! $user->rights->societe->client->voir && ! $socid)
 		$sql .= " AND s.rowid = sc.fk_soc AND sc.fk_user = " . $user->id;
 	if ($sref) {
-		$sql .= " AND c.ref LIKE '%" . $db->escape($sref) . "%'";
+		$sql .= natural_search("c.ref", $sref);
 	}
 	if ($sall) {
-		$sql .= " AND (c.ref LIKE '%" . $db->escape($sall) . "%' OR c.note LIKE '%" . $db->escape($sall) . "%')";
+		$sql .= natural_search(array("c.ref","c.note"), $sall);
 	}
 
 	// Date filter
@@ -469,7 +469,7 @@ if (($action != 'create' && $action != 'add') && !$error) {
 		$sql .= " AND c.date_livraison >= '" . $db->idate($date_starty) . "' AND c.date_livraison <= '" . $db->idate($date_endy) . "'";
 
 	if (! empty($sref_client)) {
-		$sql .= ' AND c.ref_supplier LIKE \'%' . $db->escape($sref_client) . '%\'';
+		$sql .= natural_search('c.ref_supplier', $sref_client);
 	}
 	$sql .= ' ORDER BY ' . $sortfield . ' ' . $sortorder;
 	dol_syslog('fourn/commande/ordertoinvoice.php sql=' . $sql);
@@ -495,7 +495,7 @@ if (($action != 'create' && $action != 'add') && !$error) {
 			print '<h3>' . $companystatic->getNomUrl(1, 'customer') . '</h3>';
 		}
 		
-		print '<form method="get" action="orderstoinvoice.php">';
+		print '<form name="orders2invoice" method="GET" action="orderstoinvoice.php">';
 		print '<input type="hidden" name="socid" value="' . $socid . '">';
 		print '<table class="noborder" width="100%">';
 		print '<tr class="liste_titre">';
@@ -541,7 +541,6 @@ if (($action != 'create' && $action != 'add') && !$error) {
 
 		print '</td></tr>';
 
-		print '<form name="orders2invoice" action="orderstoinvoice.php" method="GET">';
 		$var = True;
 		$generic_commande = new CommandeFournisseur($db);
 
@@ -607,7 +606,9 @@ if (($action != 'create' && $action != 'add') && !$error) {
 		print '<input type="submit" class="butAction" value="' . $langs->trans("GenerateBill") . '">';
 		print '</div>';
 		print '</div>';
+		
 		print '</form>';
+		
 		$db->free($resql);
 	} else {
 		print dol_print_error($db);
diff --git a/htdocs/fourn/facture/card.php b/htdocs/fourn/facture/card.php
index 861893d1900..8b7409f8bc5 100644
--- a/htdocs/fourn/facture/card.php
+++ b/htdocs/fourn/facture/card.php
@@ -386,13 +386,13 @@ if (empty($reshook))
 
 			if (! $error) {
 				// This is a replacement invoice
-				$result = $object->fetch($_POST['fac_replacement']);
+				$result = $object->fetch(GETPOST('fac_replacement'),'int');
 				$object->fetch_thirdparty();
 
-				$object->ref				= $_POST['ref'];
-				$object->ref_supplier		= $_POST['ref_supplier'];
-				$object->socid				= $_POST['socid'];
-				$object->libelle			= $_POST['label'];
+				$object->ref				= GETPOST('ref');
+				$object->ref_supplier		= GETPOST('ref_supplier','alpha');
+				$object->socid				= GETPOST('socid','int');
+				$object->libelle			= GETPOST('label');
 				$object->date				= $datefacture;
 				$object->date_echeance		= $datedue;
 				$object->note_public		= GETPOST('note_public');
@@ -407,7 +407,7 @@ if (empty($reshook))
 				$object->multicurrency_tx	= GETPOST('originmulticurrency_tx', 'int');
 
 				// Proprietes particulieres a facture de remplacement
-				$object->fk_facture_source = $_POST['fac_replacement'];
+				$object->fk_facture_source = GETPOST('fac_replacement');
 				$object->type = FactureFournisseur::TYPE_REPLACEMENT;
 
 				$id = $object->createFromCurrent($user);
@@ -586,7 +586,7 @@ if (empty($reshook))
 				if (! $error && $_POST['origin'] && $_POST['originid'])
 				{
 					// Parse element/subelement (ex: project_task)
-					$element = $subelement = $_POST['origin'];
+					$element = $subelement = GETPOST('origin');
 					/*if (preg_match('/^([^_]+)_([^_]+)/i',$_POST['origin'],$regs))
 					 {
 					$element = $regs[1];
@@ -610,8 +610,8 @@ if (empty($reshook))
 					{
 						$element = 'projet';
 					}
-					$object->origin    = $_POST['origin'];
-					$object->origin_id = $_POST['originid'];
+					$object->origin    = GETPOST('origin');
+					$object->origin_id = GETPOST('originid');
 
 					$id = $object->create($user);
 
@@ -623,7 +623,7 @@ if (empty($reshook))
 						if ($classname == 'Fournisseur.commande') $classname='CommandeFournisseur';
 						$srcobject = new $classname($db);
 
-						$result=$srcobject->fetch($_POST['originid']);
+						$result=$srcobject->fetch(GETPOST('originid','int'));
 						if ($result > 0)
 						{
 							$lines = $srcobject->lines;
diff --git a/htdocs/societe/checkvat/checkVatPopup.php b/htdocs/societe/checkvat/checkVatPopup.php
index 4d3daf138b3..dd1cd7df740 100644
--- a/htdocs/societe/checkvat/checkVatPopup.php
+++ b/htdocs/societe/checkvat/checkVatPopup.php
@@ -1,5 +1,5 @@
 <?php
-/* Copyright (C) 2006-2010 Laurent Destailleur  <eldy@users.sourceforge.net>
+/* Copyright (C) 2006-2016 Laurent Destailleur  <eldy@users.sourceforge.net>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -41,17 +41,18 @@ print '<div>';
 
 print load_fiche_titre($langs->trans("VATIntraCheckableOnEUSite"),'','title_setup');
 
+$vatNumber = GETPOST("vatNumber",'alpha');
 
-if (! $_REQUEST["vatNumber"])
+if (! $vatNumber)
 {
 	print '<br>';
 	print '<font class="error">'.$langs->transnoentities("ErrorFieldRequired",$langs->trans("VATIntraShort")).'</font><br>';
 }
 else
 {
-	$_REQUEST["vatNumber"] = preg_replace('/\^\w/', '', $_REQUEST["vatNumber"]);
-	$countryCode=substr($_REQUEST["vatNumber"],0,2);
-	$vatNumber=substr($_REQUEST["vatNumber"],2);
+	$vatNumber = preg_replace('/\^\w/', '', $vatNumber);
+	$countryCode=substr($vatNumber,0,2);
+	$vatNumber=substr($vatNumber,2);
 	
 	print '<b>'.$langs->trans("Country").'</b>: '.$countryCode.'<br>';
 	print '<b>'.$langs->trans("VATIntraShort").'</b>: '.$vatNumber.'<br>';
diff --git a/htdocs/societe/rib.php b/htdocs/societe/rib.php
index 0d61c0d98fa..8a6a9b87209 100644
--- a/htdocs/societe/rib.php
+++ b/htdocs/societe/rib.php
@@ -330,7 +330,7 @@ if ($socid && $action == 'edit' && $user->rights->societe->creer)
     print '<form action="rib.php?socid='.$object->id.'" method="post">';
     print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     print '<input type="hidden" name="action" value="update">';
-    print '<input type="hidden" name="id" value="'.$_GET["id"].'">';
+    print '<input type="hidden" name="id" value="'.GETPOST("id","int").'">';
 }
 if ($socid && $action == 'create' && $user->rights->societe->creer)
 {
diff --git a/htdocs/user/bank.php b/htdocs/user/bank.php
index 951c3a6ef7e..7dc774c501d 100644
--- a/htdocs/user/bank.php
+++ b/htdocs/user/bank.php
@@ -117,7 +117,7 @@ if ($id && $action == 'edit' && $user->rights->user->user->creer)
     print '<form action="'.$_SERVER['PHP_SELF'].'?id='.$object->id.'" method="post">';
     print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
     print '<input type="hidden" name="action" value="update">';
-    print '<input type="hidden" name="id" value="'.$_GET["id"].'">';
+    print '<input type="hidden" name="id" value="'.GETPOST("id",'int').'">';
 }
 if ($id && $action == 'create' && $user->rights->user->user->creer)
 {
diff --git a/htdocs/user/notify/card.php b/htdocs/user/notify/card.php
index ec3691e85db..4e84a8b83fa 100644
--- a/htdocs/user/notify/card.php
+++ b/htdocs/user/notify/card.php
@@ -108,7 +108,7 @@ if ($action == 'add')
 // Remove a notification
 if ($action == 'delete')
 {
-    $sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def where rowid=".$_GET["actid"];
+    $sql = "DELETE FROM ".MAIN_DB_PREFIX."notify_def where rowid=".GETPOST("actid","int");
     $db->query($sql);
 }
 

'.$langs->trans("Ref").'	'.$bookmark->ref.'
'.$langs->trans("Ref").'	'.$bookmark->ref.'
'; if ($action == 'edit') { @@ -231,7 +231,7 @@ if ($id > 0 && ! preg_match('/^add/i',$action)) } print '	'; - if ($action == 'edit') print 'title).'">'; + if ($action == 'edit') print 'title).'">'; else print $bookmark->title; print '
'.$langs->trans("AmountHT").'	'; + print '	'; print ' '.$langs->trans("Currency".$conf->currency).'
'.$langs->trans("VAT").'	'; print $form->load_tva('tva_tx',GETPOST('tva_tx'),$mysoc,$object); print '
'.$langs->trans("NoteReason").'
'.$langs->trans("Ref").'	'.$langs->trans("DateValidation").'	'.$langs->trans("USER_AUTHOR").'	'.$langs->trans("TotalTTC").'	Actions	Compte	Int.
'.$objp->ref.'	'.dol_print_date($db->jdate($objp->date_valid),'day').'	'.img_object($langs->trans("ShowUser"),"user").' '.$objp->declarant_NDF.'	'.$objp->total_ttc.' '.$langs->trans("EURO").'			'.$account->label.'