diff --git a/htdocs/fourn/class/fournisseur.product.class.php b/htdocs/fourn/class/fournisseur.product.class.php
index b124817bf9f..708e3e621e4 100644
--- a/htdocs/fourn/class/fournisseur.product.class.php
+++ b/htdocs/fourn/class/fournisseur.product.class.php
@@ -653,7 +653,7 @@ class ProductFournisseur extends Product
 		$sql .= " WHERE pfp.entity IN (".getEntity('productsupplierprice').")";
 		$sql .= " AND pfp.fk_soc = s.rowid AND pfp.fk_product = p.rowid";
 		$sql .= " AND s.status=1"; // only enabled company selected
-		$sql .= " AND pfp.fk_product = ".$prodid;
+		$sql .= " AND pfp.fk_product = ".((int) $prodid);
 		if (empty($sortfield)) {
 			$sql .= " ORDER BY s.nom, pfp.quantity, pfp.price";
 		} else {
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 5d378226cb7..f9b8aa637d2 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -150,7 +150,7 @@ function testSqlAndScriptInject($val, $type)
 		$inj += preg_match('/"/i', $val); // We refused " in GET parameters value.
 	}
 	if ($type == 2) {
-		$inj += preg_match('/[:;"\'<>\?\(\)]/', $val); // PHP_SELF is a file system (or url path without parameters). It can contains spaces.
+		$inj += preg_match('/[:;"\'<>\?\(\){}\$%]/', $val); // PHP_SELF is a file system (or url path without parameters). It can contains spaces.
 	}
 
 	return $inj;