From 615ed115343b4f49345a30589e45759d1ee3721d Mon Sep 17 00:00:00 2001
From: florian HENRY <florian.henry@atm-consulting.fr>
Date: Fri, 3 Aug 2018 17:09:58 +0200
Subject: [PATCH 1/2] fix bad use of test_sql_and_script_inject return int not
 value tested

---
 htdocs/core/class/html.form.class.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index 776c04bfc41..5c7091ba6e3 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -1070,7 +1070,11 @@ class Form
 		$outarray=array();
 
 		// Clean $filter that may contains sql conditions so sql code
-		if (function_exists('test_sql_and_script_inject')) $filter = test_sql_and_script_inject($filter, 3);
+		if (function_exists('test_sql_and_script_inject')) {
+			if (test_sql_and_script_inject($filter, 3)>0) {
+				$filter ='';
+			}
+		}
 
 		// On recherche les societes
 		$sql = "SELECT s.rowid, s.nom as name, s.name_alias, s.client, s.fournisseur, s.code_client, s.code_fournisseur";

From 74d05da149655e29933b689881d0881833203b7c Mon Sep 17 00:00:00 2001
From: florian HENRY <florian.henry@atm-consulting.fr>
Date: Mon, 6 Aug 2018 11:28:34 +0200
Subject: [PATCH 2/2] fix : display if error

---
 htdocs/holiday/card.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/htdocs/holiday/card.php b/htdocs/holiday/card.php
index b19f63e0ab3..348edcac1e7 100644
--- a/htdocs/holiday/card.php
+++ b/htdocs/holiday/card.php
@@ -452,10 +452,15 @@ if ($action == 'confirm_valid')
             $newSolde = $soldeActuel - ($nbopenedday * $object->getConfCP('nbHolidayDeducted'));
 
             // On ajoute la modification dans le LOG
-            $object->addLogCP($user->id, $object->fk_user, $langs->transnoentitiesnoconv("Holidays"), $newSolde, $object->fk_type);
-
+            $result=$object->addLogCP($user->id, $object->fk_user, $langs->transnoentitiesnoconv("Holidays"), $newSolde, $object->fk_type);
+            if ($result<0) {
+            	setEventMessages(null, $object->errors,'errors');
+            }
             // Mise à jour du solde
-            $object->updateSoldeCP($object->fk_user, $newSolde, $object->fk_type);
+            $result=$object->updateSoldeCP($object->fk_user, $newSolde, $object->fk_type);
+            if ($result<0) {
+            	setEventMessages(null, $object->errors,'errors');
+            }
 
             // To
             $destinataire = new User($db);