diff --git a/build/debian/conf.php.install b/build/debian/conf.php.install
index c27d9e0985b..3fe41b98086 100644
--- a/build/debian/conf.php.install
+++ b/build/debian/conf.php.install
@@ -221,7 +221,13 @@ $dolibarr_main_prod='0';
 # $dolibarr_main_limit_users='0';
 
 # dolibarr_mailing_limit_sendbyweb
-# Can set a limit for mailing send by web, can be used for a restricted mode.
+# Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level.
 # Default value: 0 (use database value if exist)
 # Examples:
 # $dolibarr_mailing_limit_sendbyweb='0';
+
+# dolibarr_mailing_limit_sendbycli
+# Can set a limit for mailing send by cli. This overwrite database value. Can be used to restrict on OS level.
+# Default value: 0 (use database value if exist)
+# Examples:
+# $dolibarr_mailing_limit_sendbycli='0';
diff --git a/htdocs/admin/system/constall.php b/htdocs/admin/system/constall.php
index 1ff005e88b2..0fb3a6c9a7b 100644
--- a/htdocs/admin/system/constall.php
+++ b/htdocs/admin/system/constall.php
@@ -90,7 +90,8 @@ $configfileparameters=array(
                             '?dolibarr_font_DOL_DEFAULT_TTF_BOLD',
 							'separator',
 							'?dolibarr_mailing_limit_sendbyweb',
-							'?dolibarr_strict_mode'
+							'?dolibarr_mailing_limit_sendbycli',
+                            '?dolibarr_strict_mode'
 						);
 $configfilelib=array(
 //					'separator',
diff --git a/htdocs/admin/system/dolibarr.php b/htdocs/admin/system/dolibarr.php
index 2fe87a02e63..21b79bcd7a1 100644
--- a/htdocs/admin/system/dolibarr.php
+++ b/htdocs/admin/system/dolibarr.php
@@ -286,7 +286,8 @@ $configfileparameters=array(
 		'separator4' => '',
 		'dolibarr_main_prod' => 'Production mode (Hide all error messages)',
 		'?dolibarr_mailing_limit_sendbyweb' => 'Limit nb of email sent by page',
-		'?dolibarr_strict_mode' => 'Strict mode is on/off',
+		'?dolibarr_mailing_limit_sendbycli' => 'Limit nb of email sent by cli',
+        '?dolibarr_strict_mode' => 'Strict mode is on/off',
 		'?dolibarr_pdf_force_fpdf' => 'Force fpdf usage to generate PDF'
 );
 
diff --git a/htdocs/comm/mailing/card.php b/htdocs/comm/mailing/card.php
index 29d4fa26c18..f43f3ecd046 100644
--- a/htdocs/comm/mailing/card.php
+++ b/htdocs/comm/mailing/card.php
@@ -756,6 +756,7 @@ else
 				$sendingmode=$conf->global->MAIN_MAIL_SENDMODE;
 				if (empty($sendingmode)) $sendingmode='mail';	// If not defined, we use php mail function
 
+				// Note: MAILING_LIMIT_SENDBYWEB is always defined to something != 0
 				if (! empty($conf->global->MAILING_NO_USING_PHPMAIL) && $sendingmode == 'mail')
 				{
 					// EMailing feature may be a spam problem, so when you host several users/instance, having this option may force each user to use their own SMTP agent.
@@ -767,19 +768,21 @@ else
 					if (! empty($conf->global->MAILING_SMTP_SETUP_EMAILS_FOR_QUESTIONS)) setEventMessages($langs->trans("MailSendSetupIs3", $conf->global->MAILING_SMTP_SETUP_EMAILS_FOR_QUESTIONS), null, 'warnings');
 					$_GET["action"]='';
 				}
-				else if (empty($conf->global->MAILING_LIMIT_SENDBYWEB))
+				else if ($conf->global->MAILING_LIMIT_SENDBYWEB == '-1')
 				{
-					// Pour des raisons de securite, on ne permet pas cette fonction via l'IHM,
-					// on affiche donc juste un message
+					// No limit was defined, so the feature is forbidden from GUI, we show just a message.
 					setEventMessages($langs->trans("MailingNeedCommand"), null, 'warnings');
 					setEventMessages('<textarea cols="60" rows="'.ROWS_1.'" wrap="soft">php ./scripts/emailings/mailing-send.php '.$object->id.'</textarea>', null, 'warnings');
-					setEventMessages($langs->trans("MailingNeedCommand2"), null, 'warnings');
+					if ($conf->file->mailing_limit_sendbyweb != '-1')
+					{
+					   setEventMessages($langs->trans("MailingNeedCommand2"), null, 'warnings');  // You can send online with constant...
+					}
 					$_GET["action"]='';
 				}
 				else
 				{
 					$text='';
-                    if ($conf->file->mailing_limit_sendbyweb == 0)
+					if ($conf->global->MAILING_LIMIT_SENDBYCLI >= 0)
                     {
                     	$text.=$langs->trans("MailingNeedCommand");
                     	$text.='<br><textarea cols="60" rows="'.ROWS_2.'" wrap="soft">php ./scripts/emailings/mailing-send.php '.$object->id.' '.$user->login.'</textarea>';
diff --git a/htdocs/conf/conf.php.example b/htdocs/conf/conf.php.example
index 83dbd300f60..c03e41b386c 100644
--- a/htdocs/conf/conf.php.example
+++ b/htdocs/conf/conf.php.example
@@ -273,6 +273,18 @@ $dolibarr_nocsrfcheck='0';
 // Examples:
 // $dolibarr_main_limit_users='0';
 
+// dolibarr_mailing_limit_sendbyweb
+// Can set a limit for mailing send by web. This overwrite database value. Can be used to restrict on OS level.
+// Default value: '0' (no overwrite, use database value if exists)
+// Examples: '-1' (sending by web is forbidden)
+// $dolibarr_mailing_limit_sendbyweb='0';
+
+// dolibarr_mailing_limit_sendbycli
+// Can set a limit for mailing send by cli. This overwrite database value. Can be used to restrict on OS level.
+// Default value: '0' (no overwrite, use database value if exists)
+// Examples: '-1' (sending by cli is forbidden)
+// $dolibarr_mailing_limit_sendbycli='0';
+
 // dolibarr_strict_mode
 // Set this to 1 to enable the PHP strict mode. For dev environment only.
 // Default value: 0 (use database value if exist)
diff --git a/htdocs/core/class/CMailFile.class.php b/htdocs/core/class/CMailFile.class.php
index 3abd7dd58b5..31ec3d6e6b5 100644
--- a/htdocs/core/class/CMailFile.class.php
+++ b/htdocs/core/class/CMailFile.class.php
@@ -824,7 +824,7 @@ class CMailFile
 		global $conf;
 		$out = "";
 
-		$host = dol_getprefix();
+		$host = dol_getprefix('email');
 
 		// Sender
 		//$out.= "Sender: ".getValidAddress($this->addr_from,2)).$this->eol2;
diff --git a/htdocs/core/class/smtps.class.php b/htdocs/core/class/smtps.class.php
index 72ee7e8b4ff..6cd5dfb2821 100644
--- a/htdocs/core/class/smtps.class.php
+++ b/htdocs/core/class/smtps.class.php
@@ -1195,7 +1195,7 @@ class SMTPs
 		$host=preg_replace('@tcp://@i','',$host);	// Remove prefix
 		$host=preg_replace('@ssl://@i','',$host);	// Remove prefix
 
-		$host=dol_getprefix().'-'.$host;
+		$host=dol_getprefix('email').'-'.$host;
 		
 		//NOTE: Message-ID should probably contain the username of the user who sent the msg
 		$_header .= 'Subject: '    . $this->getSubject()     . "\r\n";
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index fc463dadd71..b3f08056d7d 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -321,19 +321,22 @@ function GETPOST($paramname,$check='',$method=0,$filter=NULL,$options=NULL)
  *  This prefix is unique for instance and avoid conflict between multi-instances,
  *  even when having two instances with one root dir or two instances in virtual servers
  *
+ *  @param  string  $mode       '' or 'email'              
  *  @return	string      		A calculated prefix
  */
-function dol_getprefix()
+function dol_getprefix($mode='')
 {
     global $conf;
     
+    // If MAIL_PREFIX_FOR_EMAIL_ID is set and prefix is for email
+    if ($mode == 'email' && ! empty($conf->global->MAIL_PREFIX_FOR_EMAIL_ID))
+    {
+        if ($conf->global->MAIL_PREFIX_FOR_EMAIL_ID != 'SERVER_NAME') return $conf->global->MAIL_PREFIX_FOR_EMAIL_ID;
+        else if (isset($_SERVER["SERVER_NAME"])) return $_SERVER["SERVER_NAME"];
+    }
+
 	if (isset($_SERVER["SERVER_NAME"]) && isset($_SERVER["DOCUMENT_ROOT"]))
 	{
-	    if (! empty($conf->global->MAIL_PREFIX_FOR_EMAIL_ID))
-	    {
-	        if ($conf->global->MAIL_PREFIX_FOR_EMAIL_ID == 'SERVER_NAME') return $_SERVER["SERVER_NAME"];
-	        return $conf->global->MAIL_PREFIX_FOR_EMAIL_ID;
-	    }
 		return dol_hash($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].DOL_DOCUMENT_ROOT.DOL_URL_ROOT);
 		// Use this for a "clear" cookie name
 		//return dol_sanitizeFileName($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].DOL_DOCUMENT_ROOT.DOL_URL_ROOT);
diff --git a/htdocs/filefunc.inc.php b/htdocs/filefunc.inc.php
index 5ce08697913..2954b431708 100644
--- a/htdocs/filefunc.inc.php
+++ b/htdocs/filefunc.inc.php
@@ -154,6 +154,7 @@ if (empty($dolibarr_main_db_encryption)) $dolibarr_main_db_encryption=0;
 if (empty($dolibarr_main_db_cryptkey)) $dolibarr_main_db_cryptkey='';
 if (empty($dolibarr_main_limit_users)) $dolibarr_main_limit_users=0;
 if (empty($dolibarr_mailing_limit_sendbyweb)) $dolibarr_mailing_limit_sendbyweb=0;
+if (empty($dolibarr_mailing_limit_sendbycli)) $dolibarr_mailing_limit_sendbycli=0;
 if (empty($dolibarr_strict_mode)) $dolibarr_strict_mode=0; // For debug in php strict mode
 // TODO Multicompany Remove this. Useless.
 if (empty($multicompany_transverse_mode)) $multicompany_transverse_mode=0;
diff --git a/htdocs/install/mysql/data/llx_c_payment_term.sql b/htdocs/install/mysql/data/llx_c_payment_term.sql
index a444bfbc466..783bf1e0daf 100644
--- a/htdocs/install/mysql/data/llx_c_payment_term.sql
+++ b/htdocs/install/mysql/data/llx_c_payment_term.sql
@@ -27,7 +27,7 @@
 -- de l'install et tous les sigles '--' sont supprimés.
 --
 
-insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (1,'RECEP',       1,1, 'A réception de facture','Réception de facture',0,1);
+insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (1,'RECEP',       1,1, 'Due Upon Receipt','Due Upon Receipt',0,1);
 insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (2,'30D',         2,1, '30 jours','Réglement à 30 jours',0,30);
 insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (3,'30DENDMONTH', 3,1, '30 jours fin de mois','Réglement à 30 jours fin de mois',1,30);
 insert into llx_c_payment_term(rowid, code, sortorder, active, libelle, libelle_facture, type_cdr, nbjour) values (4,'60D',         4,1, '60 jours','Réglement à 60 jours',0,60);
diff --git a/htdocs/langs/en_US/bills.lang b/htdocs/langs/en_US/bills.lang
index 1e4a745621c..f16fdf25413 100644
--- a/htdocs/langs/en_US/bills.lang
+++ b/htdocs/langs/en_US/bills.lang
@@ -333,8 +333,8 @@ DateIsNotEnough=Date not reached yet
 InvoiceGeneratedFromTemplate=Invoice %s generated from recurring template invoice %s
 # PaymentConditions
 Statut=Status
-PaymentConditionShortRECEP=Immediate
-PaymentConditionRECEP=Immediate
+PaymentConditionShortRECEP=Due Upon Receipt
+PaymentConditionRECEP=Due Upon Receipt
 PaymentConditionShort30D=30 days
 PaymentCondition30D=30 days
 PaymentConditionShort30DENDMONTH=30 days of month-end
diff --git a/htdocs/langs/en_US/mails.lang b/htdocs/langs/en_US/mails.lang
index 83a344623aa..b9677805dcd 100644
--- a/htdocs/langs/en_US/mails.lang
+++ b/htdocs/langs/en_US/mails.lang
@@ -88,9 +88,10 @@ MailNoChangePossible=Recipients for validated emailing can't be changed
 SearchAMailing=Search mailing
 SendMailing=Send emailing
 SendMail=Send email
-MailingNeedCommand=For security reason, sending an emailing is better when performed from command line. If you have one, ask your server administrator to launch the following command to send the emailing to all recipients:
+SentBy=Sent by
+MailingNeedCommand=For security reason, sending an emailing must be performed from command line. Ask your server administrator to launch the following command to send the emailing to all recipients:
 MailingNeedCommand2=You can however send them online by adding parameter MAILING_LIMIT_SENDBYWEB with value of max number of emails you want to send by session. For this, go on Home - Setup - Other. 
-ConfirmSendingEmailing=If you can't or prefer sending them with your www browser, please confirm you are sure you want to send emailing now from your browser?
+ConfirmSendingEmailing=If you want to send emailing directly from this screen, please confirm you are sure you want to send emailing now from your browser ?
 LimitSendingEmailing=Note: Sending of emailings from web interface is done in several times for security and timeout reasons, <b>%s</b> recipients at a time for each sending session.
 TargetsReset=Clear list
 ToClearAllRecipientsClickHere=Click here to clear the recipient list for this emailing
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 3a9ef61d7ec..e07ef156124 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -89,7 +89,6 @@ function test_sql_and_script_inject($val, $type)
         $sql_inj += preg_match('/union.+select/i', 	 $val);
         $sql_inj += preg_match('/into\s+(outfile|dumpfile)/i',  $val);
         $sql_inj += preg_match('/(\.\.%2f)+/i',		 $val);
-        $sql_inj += preg_match('/onerror=/i', 	     $val);
     }
     // For XSS Injection done by adding javascript with script
     // This is all cases a browser consider text is javascript:
@@ -98,7 +97,8 @@ function test_sql_and_script_inject($val, $type)
     $sql_inj += preg_match('/<script/i', $val);
     if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
     $sql_inj += preg_match('/base[\s]+href/si', $val);
-    $sql_inj += preg_match('/<.*onmouse/si', $val);       // onmouseover can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
+    $sql_inj += preg_match('/<.*onmouse/si', $val);       // onmousexxx can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
+    $sql_inj += preg_match('/onerror\s*=/i', $val);       // onerror can be set on img or any html tag like <img title='>' onerror = alert(1)>
     if ($type == 1)
     {
         $sql_inj += preg_match('/javascript:/i', $val);
diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php
index 7c0000bedea..80fc5d9a1d4 100644
--- a/htdocs/master.inc.php
+++ b/htdocs/master.inc.php
@@ -61,6 +61,7 @@ if (defined('TEST_DB_FORCE_TYPE')) $conf->db->type=constant('TEST_DB_FORCE_TYPE'
 // Set properties specific to conf file
 $conf->file->main_limit_users			= $dolibarr_main_limit_users;
 $conf->file->mailing_limit_sendbyweb	= $dolibarr_mailing_limit_sendbyweb;
+$conf->file->mailing_limit_sendbycli	= $dolibarr_mailing_limit_sendbycli;
 $conf->file->main_authentication		= empty($dolibarr_main_authentication)?'':$dolibarr_main_authentication;	// Identification mode
 $conf->file->main_force_https			= empty($dolibarr_main_force_https)?'':$dolibarr_main_force_https;			// Force https
 $conf->file->strict_mode 				= empty($dolibarr_strict_mode)?'':$dolibarr_strict_mode;					// Force php strict mode (for debug)
@@ -188,6 +189,18 @@ if (! empty($conf->file->mailing_limit_sendbyweb))
 {
 	$conf->global->MAILING_LIMIT_SENDBYWEB = $conf->file->mailing_limit_sendbyweb;
 }
+if (empty($conf->global->MAILING_LIMIT_SENDBYWEB))
+{
+    $conf->global->MAILING_LIMIT_SENDBYWEB = 25;
+}
+if (! empty($conf->file->mailing_limit_sendbycli))
+{
+    $conf->global->MAILING_LIMIT_SENDBYCLI = $conf->file->mailing_limit_sendbycli;
+}
+if (empty($conf->global->MAILING_LIMIT_SENDBYCLI))
+{
+    $conf->global->MAILING_LIMIT_SENDBYCLI = 0;
+}
 
 // If software has been locked. Only login $conf->global->MAIN_ONLY_LOGIN_ALLOWED is allowed.
 if (! empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED))
diff --git a/scripts/emailings/mailing-send.php b/scripts/emailings/mailing-send.php
index 98455b2a233..fb8612977a8 100755
--- a/scripts/emailings/mailing-send.php
+++ b/scripts/emailings/mailing-send.php
@@ -61,6 +61,11 @@ $error=0;
 @set_time_limit(0);
 print "***** ".$script_file." (".$version.") pid=".dol_getmypid()." *****\n";
 
+if ($conf->global->MAILING_LIMIT_SENDBYCLI == '-1')
+{
+    
+}
+
 $user = new User($db);
 // for signature, we use user send as parameter
 if (! empty($login)) $user->fetch('',$login);
@@ -108,7 +113,11 @@ if ($resql)
 			$sql2 = "SELECT mc.rowid, mc.lastname as lastname, mc.firstname as firstname, mc.email, mc.other, mc.source_url, mc.source_id, mc.source_type, mc.tag";
 			$sql2.= " FROM ".MAIN_DB_PREFIX."mailing_cibles as mc";
 			$sql2.= " WHERE mc.statut < 1 AND mc.fk_mailing = ".$id;
-
+		    if ($conf->global->MAILING_LIMIT_SENDBYCLI > 0)
+		    {
+		        $sql2.= " LIMIT ".$conf->global->MAILING_LIMIT_SENDBYCLI;
+		    }
+				
 			$resql2=$db->query($sql2);
 			if ($resql2)
 			{
diff --git a/test/phpunit/CoreTest.php b/test/phpunit/CoreTest.php
index 01f06e41af7..3a158260e96 100644
--- a/test/phpunit/CoreTest.php
+++ b/test/phpunit/CoreTest.php
@@ -219,7 +219,7 @@ class CoreTest extends PHPUnit_Framework_TestCase
 
         print __METHOD__." DOL_MAIN_URL_ROOT=".DOL_MAIN_URL_ROOT."\n";
         print __METHOD__." DOL_URL_ROOT=".DOL_URL_ROOT."\n";
-        $this->assertEquals(DOL_URL_ROOT,$expectedresult);
+        $this->assertEquals($expectedresult, DOL_URL_ROOT);
 
         return true;
     }
@@ -245,7 +245,7 @@ class CoreTest extends PHPUnit_Framework_TestCase
         global $dolibarr_main_db_prefix;
 
 
-        // This is code copied from main.inc.php
+        // This is code copied from main.inc.php !!!!!!!!!!!!!!!
 
         /**
          * Security: SQL Injection and XSS Injection (scripts) protection (Filters on GET, POST, PHP_SELF).
@@ -258,14 +258,16 @@ class CoreTest extends PHPUnit_Framework_TestCase
         {
             $sql_inj = 0;
             // For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests)
-            if ($type != 2) {
-                $sql_inj += preg_match('/delete[\s]+from/i', $val);
-                $sql_inj += preg_match('/create[\s]+table/i', $val);
-                $sql_inj += preg_match('/update.+set.+=/i', $val);
-                $sql_inj += preg_match('/insert[\s]+into/i', $val);
-                $sql_inj += preg_match('/select.+from/i', $val);
-                $sql_inj += preg_match('/union.+select/i', $val);
-                $sql_inj += preg_match('/(\.\.%2f)+/i', $val);
+            if ($type != 2)
+            {
+                $sql_inj += preg_match('/delete\s+from/i',	 $val);
+                $sql_inj += preg_match('/create\s+table/i',	 $val);
+                $sql_inj += preg_match('/update.+set.+=/i',  $val);
+                $sql_inj += preg_match('/insert\s+into/i', 	 $val);
+                $sql_inj += preg_match('/select.+from/i', 	 $val);
+                $sql_inj += preg_match('/union.+select/i', 	 $val);
+                $sql_inj += preg_match('/into\s+(outfile|dumpfile)/i',  $val);
+                $sql_inj += preg_match('/(\.\.%2f)+/i',		 $val);
             }
             // For XSS Injection done by adding javascript with script
             // This is all cases a browser consider text is javascript:
@@ -273,22 +275,40 @@ class CoreTest extends PHPUnit_Framework_TestCase
             // All examples on page: http://ha.ckers.org/xss.html#XSScalc
             $sql_inj += preg_match('/<script/i', $val);
             if (! defined('NOSTYLECHECK')) $sql_inj += preg_match('/<style/i', $val);
-            $sql_inj += preg_match('/base[\s]+href/i', $val);
-            if ($type == 1) {
+            $sql_inj += preg_match('/base[\s]+href/si', $val);
+            $sql_inj += preg_match('/<.*onmouse/si', $val);       // onmousexxx can be set on img or any html tag like <img title='>' onmouseover=alert(1)>
+            $sql_inj += preg_match('/onerror\s*=/i', $val);       // onerror can be set on img or any html tag like <img title='>' onerror = alert(1)>
+            if ($type == 1)
+            {
                 $sql_inj += preg_match('/javascript:/i', $val);
                 $sql_inj += preg_match('/vbscript:/i', $val);
             }
             // For XSS Injection done by adding javascript closing html tags like with onmousemove, etc... (closing a src or href tag with not cleaned param)
             if ($type == 1) $sql_inj += preg_match('/"/i', $val);		// We refused " in GET parameters value
-            if ($type == 2) $sql_inj += preg_match('/[\s;"]/', $val);	// PHP_SELF is an url and must match url syntax
+            if ($type == 2) $sql_inj += preg_match('/[;"]/', $val);		// PHP_SELF is a file system path. It can contains spaces.
             return $sql_inj;
         }
 
-        //type=2 key=0 value=/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices
+        // Run tests
+        
         $_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices';
-        $result=test_sql_and_script_inject($_SERVER["PHP_SELF"],2);
+        $result=test_sql_and_script_inject($_SERVER["PHP_SELF"], 2);
+        $expectedresult=0;
+        $this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 1a');
+        
+        $_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php?mainmenu=home&leftmenu=setup&username=weservices;badaction';
+        $result=test_sql_and_script_inject($_SERVER["PHP_SELF"], 2);
         $expectedresult=1;
-
-        $this->assertEquals($result,$expectedresult);
+        $this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 1b');
+        
+        $_GET['aaa']="<img src='1.jpg' onerror =javascript:alert('XSS')>";
+        $result=test_sql_and_script_inject($_GET['aaa'], 0);
+        $expectedresult=1;
+        $this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 2');
+        
+        $_POST['bbb']="<img src='1.jpg' onerror =javascript:alert('XSS')>";
+        $result=test_sql_and_script_inject($_POST['bbb'], 2);
+        $expectedresult=1;
+        $this->assertEquals($expectedresult, $result, 'Error on test_sql_and_script_inject 3');
     }
 }