diff --git a/htdocs/comm/action/card.php b/htdocs/comm/action/card.php
index af54186e255..4e5abac75d3 100644
--- a/htdocs/comm/action/card.php
+++ b/htdocs/comm/action/card.php
@@ -221,7 +221,7 @@ if ($action == 'add')
 	}
 
 	// Initialisation objet cactioncomm
-	if (! GETPOST('actioncode') > 0)	// actioncode is id
+	if (GETPOSTISSET('actioncode') && ! GETPOST('actioncode', 'aZ09'))	// actioncode is '0'
 	{
 		$error++; $donotclearsession=1;
 		$action = 'create';
@@ -229,7 +229,7 @@ if ($action == 'add')
 	}
 	else
 	{
-		$object->type_code = GETPOST('actioncode');
+		$object->type_code = GETPOST('actioncode', 'aZ09');
 	}
 
 	if (! $error)
@@ -243,7 +243,7 @@ if ($action == 'add')
 		$object->elementtype = GETPOST("elementtype", 'alpha');
 		if (! GETPOST('label'))
 		{
-			if (GETPOST('actioncode') == 'AC_RDV' && $contact->getFullName($langs))
+			if (GETPOST('actioncode', 'aZ09') == 'AC_RDV' && $contact->getFullName($langs))
 			{
 				$object->label = $langs->transnoentitiesnoconv("TaskRDVWith", $contact->getFullName($langs));
 			}
@@ -426,15 +426,15 @@ if ($action == 'update')
 		$datep=dol_mktime($fulldayevent?'00':$aphour, $fulldayevent?'00':$apmin, 0, $_POST["apmonth"], $_POST["apday"], $_POST["apyear"]);
 		$datef=dol_mktime($fulldayevent?'23':$p2hour, $fulldayevent?'59':$p2min, $fulldayevent?'59':'0', $_POST["p2month"], $_POST["p2day"], $_POST["p2year"]);
 
-		$object->type_id     = dol_getIdFromCode($db, GETPOST("actioncode"), 'c_actioncomm');
-		$object->label       = GETPOST("label");
+		$object->type_id     = dol_getIdFromCode($db, GETPOST("actioncode", 'aZ09'), 'c_actioncomm');
+		$object->label       = GETPOST("label", "alphanohtml");
 		$object->datep       = $datep;
 		$object->datef       = $datef;
 		$object->percentage  = $percentage;
-		$object->priority    = GETPOST("priority");
+		$object->priority    = GETPOST("priority", "alphanohtml");
         $object->fulldayevent= GETPOST("fullday")?1:0;
-		$object->location    = GETPOST('location');
-		$object->socid       = GETPOST("socid");
+        $object->location    = GETPOST('location', "alphanohtml");
+		$object->socid       = GETPOST("socid", "int");
 		$socpeopleassigned   = GETPOST("socpeopleassigned", 'array');
 		$object->socpeopleassigned = array();
 		foreach ($socpeopleassigned as $cid) $object->socpeopleassigned[$cid] = array('id' => $cid);
@@ -446,8 +446,8 @@ if ($action == 'update')
 		$object->fk_project  = GETPOST("projectid", 'int');
 		$object->note        = GETPOST("note", "none");	// deprecated
 		$object->note_private= GETPOST("note", "none");
-		$object->fk_element	 = GETPOST("fk_element");
-		$object->elementtype = GETPOST("elementtype");
+		$object->fk_element	 = GETPOST("fk_element", "int");
+		$object->elementtype = GETPOST("elementtype", "alphanohtml");
 
 		if (! $datef && $percentage == 100)
 		{
@@ -491,7 +491,7 @@ if ($action == 'update')
 		}
 
 		// Check parameters
-		if (! GETPOST('actioncode') > 0)
+		if (GETPOSTISSET('actioncode') && ! GETPOST('actioncode', 'aZ09'))	// actioncode is '0'
 		{
 			$error++; $donotclearsession=1;
 			$action = 'edit';
@@ -499,7 +499,7 @@ if ($action == 'update')
 		}
 		else
 		{
-			$result=$cactioncomm->fetch(GETPOST('actioncode'));
+			$result=$cactioncomm->fetch(GETPOST('actioncode', 'aZ09'));
 		}
 		if (empty($object->userownerid))
 		{
@@ -689,7 +689,7 @@ if ($action == 'create')
 	if ($backtopage) print '<input type="hidden" name="backtopage" value="'.($backtopage != '1' ? $backtopage : $_SERVER["HTTP_REFERER"]).'">';
 	if (empty($conf->global->AGENDA_USE_EVENT_TYPE)) print '<input type="hidden" name="actioncode" value="'.dol_getIdFromCode($db, 'AC_OTH', 'c_actioncomm').'">';
 
-	if (GETPOST("actioncode") == 'AC_RDV') print load_fiche_titre($langs->trans("AddActionRendezVous"), '', 'title_agenda');
+	if (GETPOST("actioncode", 'aZ09') == 'AC_RDV') print load_fiche_titre($langs->trans("AddActionRendezVous"), '', 'title_agenda');
 	else print load_fiche_titre($langs->trans("AddAnAction"), '', 'title_agenda');
 
 	dol_fiche_head();
@@ -701,7 +701,7 @@ if ($action == 'create')
 	{
 		print '<tr><td class="titlefieldcreate"><span class="fieldrequired">'.$langs->trans("Type").'</span></b></td><td>';
 		$default=(empty($conf->global->AGENDA_USE_EVENT_TYPE_DEFAULT)?'':$conf->global->AGENDA_USE_EVENT_TYPE_DEFAULT);
-		$formactions->select_type_actions(GETPOST("actioncode")?GETPOST("actioncode"):($object->type_code?$object->type_code:$default), "actioncode", "systemauto", 0, -1);
+		$formactions->select_type_actions(GETPOST("actioncode", 'aZ09')?GETPOST("actioncode", 'aZ09'):($object->type_code?$object->type_code:$default), "actioncode", "systemauto", 0, -1);
 		print '</td></tr>';
 	}
 
@@ -731,7 +731,7 @@ if ($action == 'create')
 	{
 		$datef=dol_time_plus_duree($datep, $conf->global->AGENDA_AUTOSET_END_DATE_WITH_DELTA_HOURS, 'h');
 	}
-	print '<tr><td><span id="dateend"'.(GETPOST("actioncode") == 'AC_RDV'?' class="fieldrequired"':'').'>'.$langs->trans("DateActionEnd").'</span></td><td>';
+	print '<tr><td><span id="dateend"'.(GETPOST("actioncode", 'aZ09') == 'AC_RDV'?' class="fieldrequired"':'').'>'.$langs->trans("DateActionEnd").'</span></td><td>';
 	if (GETPOST("afaire") == 1) {
         print $form->selectDate($datef, 'p2', 1, 1, 1, "action", 1, 1, 0, 'fulldayend');
     } elseif (GETPOST("afaire") == 2) {
@@ -1010,15 +1010,15 @@ if ($id > 0)
 		$datep=dol_mktime($fulldayevent?'00':$aphour, $fulldayevent?'00':$apmin, 0, $_POST["apmonth"], $_POST["apday"], $_POST["apyear"]);
 		$datef=dol_mktime($fulldayevent?'23':$p2hour, $fulldayevent?'59':$p2min, $fulldayevent?'59':'0', $_POST["p2month"], $_POST["p2day"], $_POST["p2year"]);
 
-		$object->type_id     = dol_getIdFromCode($db, GETPOST("actioncode"), 'c_actioncomm');
-		$object->label       = GETPOST("label");
+		$object->type_id     = dol_getIdFromCode($db, GETPOST("actioncode", 'aZ09'), 'c_actioncomm');
+		$object->label       = GETPOST("label", "alphanohtml");
 		$object->datep       = $datep;
 		$object->datef       = $datef;
 		$object->percentage  = $percentage;
-		$object->priority    = GETPOST("priority");
+		$object->priority    = GETPOST("priority", "alphanohtml");
         $object->fulldayevent= GETPOST("fullday")?1:0;
-		$object->location    = GETPOST('location');
-		$object->socid       = GETPOST("socid");
+		$object->location    = GETPOST('location', "alpanohtml");
+		$object->socid       = GETPOST("socid", "int");
 		$socpeopleassigned   = GETPOST("socpeopleassigned", 'array');
 		foreach ($socpeopleassigned as $tmpid) $object->socpeopleassigned[$id] = array('id' => $tmpid);
 		$object->contactid   = GETPOST("contactid", 'int');
@@ -1101,7 +1101,7 @@ if ($id > 0)
 		    print '<tr><td class="fieldrequired">'.$langs->trans("Type").'</td><td colspan="3">';
 		    if ($object->type_code != 'AC_OTH_AUTO')
 		    {
-                $formactions->select_type_actions(GETPOST("actioncode")?GETPOST("actioncode"):$object->type_code, "actioncode", "systemauto");
+		    	$formactions->select_type_actions(GETPOST("actioncode", 'aZ09')?GETPOST("actioncode", 'aZ09'):$object->type_code, "actioncode", "systemauto");
 		    }
 		    else
 		    {
diff --git a/htdocs/comm/action/class/cactioncomm.class.php b/htdocs/comm/action/class/cactioncomm.class.php
index eb7fb885d8d..5d3290599b9 100644
--- a/htdocs/comm/action/class/cactioncomm.class.php
+++ b/htdocs/comm/action/class/cactioncomm.class.php
@@ -84,7 +84,7 @@ class CActionComm
         $sql = "SELECT id, code, type, libelle as label, color, active, picto";
         $sql.= " FROM ".MAIN_DB_PREFIX."c_actioncomm";
         if (is_numeric($id)) $sql.= " WHERE id=".$id;
-        else $sql.= " WHERE code='".$id."'";
+        else $sql.= " WHERE code='".$this->db->escape($id)."'";
 
         dol_syslog(get_class($this)."::fetch", LOG_DEBUG);
         $resql=$this->db->query($sql);