From 931b556b698067b4d357703eee875d4d8c8cc9da Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Mon, 4 Mar 2013 00:01:38 +0100
Subject: [PATCH] Fix: sql error

---
 htdocs/comm/prospect/fiche.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/htdocs/comm/prospect/fiche.php b/htdocs/comm/prospect/fiche.php
index bd08c74f647..0e2467a3a75 100644
--- a/htdocs/comm/prospect/fiche.php
+++ b/htdocs/comm/prospect/fiche.php
@@ -52,19 +52,19 @@ $object = new Prospect($db);
 
 if ($action == 'cstc')
 {
-	$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm = ".$_GET["stcomm"];
-	$sql .= " WHERE rowid = ".$socid;
+	$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_stcomm = ".$db->escape(GETPOST('stcomm'));
+	$sql.= " WHERE rowid = ".$socid;
 	$db->query($sql);
 }
 // set prospect level
 if ($action == 'setprospectlevel' && $user->rights->societe->creer)
 {
 	$object->fetch($socid);
-	$object->fk_prospectlevel=$_POST['prospect_level_id'];
-	$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_prospectlevel='".$_POST['prospect_level_id'];
+	$sql = "UPDATE ".MAIN_DB_PREFIX."societe SET fk_prospectlevel='".$db->escape(GETPOST('prospect_level_id'))."'";
 	$sql.= " WHERE rowid = ".$socid;
 	$result = $db->query($sql);
 	if (! $result) dol_print_error($result);
+	else $object->fk_prospectlevel=GETPOST('prospect_level_id');
 }