diff --git a/htdocs/adherents/subscription/info.php b/htdocs/adherents/subscription/info.php
index c83771d22ff..05856c35f75 100644
--- a/htdocs/adherents/subscription/info.php
+++ b/htdocs/adherents/subscription/info.php
@@ -36,7 +36,7 @@ $langs->load("users");
 if (!$user->rights->adherent->lire)
 	accessforbidden();
 
-$rowid=isset($_GET["rowid"])?$_GET["rowid"]:$_POST["rowid"];
+$rowid=GETPOST("rowid",'int');
 
 
 
@@ -44,10 +44,10 @@ $rowid=isset($_GET["rowid"])?$_GET["rowid"]:$_POST["rowid"];
  * View
  */
 
-llxHeader();
-
 $form = new Form($db);
 
+llxHeader();
+
 $object = new Subscription($db);
 $result = $object->fetch($rowid);
 
diff --git a/htdocs/cashdesk/tpl/facturation1.tpl.php b/htdocs/cashdesk/tpl/facturation1.tpl.php
index 580012847f5..4372f422518 100644
--- a/htdocs/cashdesk/tpl/facturation1.tpl.php
+++ b/htdocs/cashdesk/tpl/facturation1.tpl.php
@@ -19,6 +19,14 @@
  *
  */
 
+// Protection to avoid direct call of template
+if (empty($langs) || ! is_object($langs))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
+
 $langs->load("main");
 $langs->load("bills");
 $langs->load("cashdesk");
diff --git a/htdocs/cashdesk/tpl/liste_articles.tpl.php b/htdocs/cashdesk/tpl/liste_articles.tpl.php
index e4b6bc14436..65f48b0603c 100644
--- a/htdocs/cashdesk/tpl/liste_articles.tpl.php
+++ b/htdocs/cashdesk/tpl/liste_articles.tpl.php
@@ -17,6 +17,14 @@
  *
  */
 
+// Protection to avoid direct call of template
+if (empty($langs) || ! is_object($langs))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
+
 require_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
 require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php';
 
diff --git a/htdocs/cashdesk/tpl/menu.tpl.php b/htdocs/cashdesk/tpl/menu.tpl.php
index fd9bcbca77c..4197db6b1b0 100644
--- a/htdocs/cashdesk/tpl/menu.tpl.php
+++ b/htdocs/cashdesk/tpl/menu.tpl.php
@@ -19,6 +19,14 @@
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
+// Protection to avoid direct call of template
+if (empty($langs) || ! is_object($langs))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
+
 include_once DOL_DOCUMENT_ROOT.'/societe/class/societe.class.php';
 include_once DOL_DOCUMENT_ROOT.'/compta/bank/class/account.class.php';
 include_once DOL_DOCUMENT_ROOT.'/product/stock/class/entrepot.class.php';
diff --git a/htdocs/cashdesk/tpl/ticket.tpl.php b/htdocs/cashdesk/tpl/ticket.tpl.php
index 82b84ba3b56..3937c9dbde3 100644
--- a/htdocs/cashdesk/tpl/ticket.tpl.php
+++ b/htdocs/cashdesk/tpl/ticket.tpl.php
@@ -16,6 +16,15 @@
  * You should have received a copy of the GNU General Public License
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
+
+// Protection to avoid direct call of template
+if (empty($langs) || ! is_object($langs))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
+
 include_once DOL_DOCUMENT_ROOT.'/compta/facture/class/facture.class.php';
 
 $langs->load("main");
diff --git a/htdocs/cashdesk/tpl/validation1.tpl.php b/htdocs/cashdesk/tpl/validation1.tpl.php
index bb3d63a9e58..2a390b99c65 100644
--- a/htdocs/cashdesk/tpl/validation1.tpl.php
+++ b/htdocs/cashdesk/tpl/validation1.tpl.php
@@ -16,6 +16,14 @@
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  */
 
+// Protection to avoid direct call of template
+if (empty($langs) || ! is_object($langs))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
+
 $langs->load("main");
 $langs->load("bills");
 $langs->load("banks");
diff --git a/htdocs/cashdesk/tpl/validation2.tpl.php b/htdocs/cashdesk/tpl/validation2.tpl.php
index a6e2fe2a3f3..a9889451bda 100644
--- a/htdocs/cashdesk/tpl/validation2.tpl.php
+++ b/htdocs/cashdesk/tpl/validation2.tpl.php
@@ -17,6 +17,14 @@
  *
  */
 
+// Protection to avoid direct call of template
+if (empty($langs) || ! is_object($langs))
+{
+	print "Error, template page can't be called as URL";
+	exit;
+}
+
+
 $langs->load("main");
 $langs->load("bills");
 
diff --git a/htdocs/comm/multiprix.php b/htdocs/comm/multiprix.php
index 80c6305fcec..dd4e6cef1fa 100644
--- a/htdocs/comm/multiprix.php
+++ b/htdocs/comm/multiprix.php
@@ -30,7 +30,8 @@ require_once DOL_DOCUMENT_ROOT.'/contact/class/contact.class.php';
 $langs->load("orders");
 $langs->load("companies");
 
-$_socid = $_GET["id"];
+$id = GETPOST('id','int');
+$_socid = GETPOST("id",'int');
 // Security check
 if ($user->societe_id > 0)
 {
@@ -45,10 +46,10 @@ if ($user->societe_id > 0)
 if ($_POST["action"] == 'setpricelevel')
 {
 	$soc = New Societe($db);
-	$soc->fetch($_GET["id"]);
+	$soc->fetch($id);
 	$soc->set_price_level($_POST["price_level"],$user);
 
-	header("Location: multiprix.php?id=".$_GET["id"]);
+	header("Location: multiprix.php?id=".$id);
 	exit;
 }
 
@@ -87,7 +88,7 @@ if ($_socid > 0)
 	print '<form method="POST" action="multiprix.php?id='.$objsoc->id.'">';
 	print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
 	print '<input type="hidden" name="action" value="setpricelevel">';
-	
+
 	dol_fiche_head($head, $tabchoice, $langs->trans("ThirdParty"), 0, 'company');
 
 	print '<table width="100%" border="0">';
@@ -122,12 +123,12 @@ if ($_socid > 0)
 	print "</table>";
 
 	dol_fiche_end();
-	
+
 	print '<div align="center"><input type="submit" class="button" value="'.$langs->trans("Save").'"></div>';
 
 	print "</form>";
 
-	
+
 	print '<br><br>';
 
 
diff --git a/htdocs/fourn/index.php b/htdocs/fourn/index.php
index 690835a5e99..8f34077ab34 100644
--- a/htdocs/fourn/index.php
+++ b/htdocs/fourn/index.php
@@ -33,7 +33,7 @@ $langs->load("orders");
 $langs->load("companies");
 
 // Security check
-$socid = isset($_GET["socid"])?$_GET["socid"]:'';
+$socid = GETPOST("socid", 'int');
 if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user, 'societe',$socid,'');
 
@@ -81,7 +81,7 @@ if ($resql)
 	while ($i < $num)
 	{
 		$row = $db->fetch_row($resql);
-		
+
 
 		print '<tr class="oddeven">';
 		print '<td>'.$langs->trans($commande->statuts[$row[1]]).'</td>';
@@ -132,7 +132,7 @@ if (! empty($conf->fournisseur->enabled))
 			$var = true;
 			while ($i < $num)
 			{
-				
+
 				$obj = $db->fetch_object($resql);
 				print '<tr class="oddeven"><td  class="nowrap">';
 				$commandestatic->id=$obj->rowid;
@@ -151,7 +151,7 @@ if (! empty($conf->fournisseur->enabled))
 			}
 			if ($total>0)
 			{
-				
+
 				print '<tr class="liste_total"><td>'.$langs->trans("Total").'</td><td colspan="2" align="right">'.price($total)."</td></tr>";
 			}
 			print "</table>";
@@ -190,7 +190,7 @@ if (! empty($conf->fournisseur->enabled) && $user->rights->fournisseur->facture-
 			while ($i < $num && $i < 20)
 			{
 				$obj = $db->fetch_object($resql);
-				
+
 				print '<tr class="oddeven"><td class="nowrap">';
 				$facturestatic->ref=$obj->ref;
 				$facturestatic->id=$obj->rowid;
@@ -263,7 +263,7 @@ if ($resql)
 
 	while ($obj = $db->fetch_object($resql) )
 	{
-		
+
 
 		print '<tr class="oddeven">';
 		print '<td><a href="card.php?socid='.$obj->socid.'">'.img_object($langs->trans("ShowSupplier"),"company").'</a>';
@@ -300,7 +300,7 @@ if (count($companystatic->SupplierCategories))
 
 	foreach ($companystatic->SupplierCategories as $rowid => $label)
 	{
-		
+
 		print "<tr ".$bc[$var].">\n";
 		print '<td>';
 		$categstatic->id=$rowid;
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index 4febe121156..d5a692ca86e 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -81,7 +81,8 @@ function test_sql_and_script_inject($val, $type)
     // For SQL Injection (only GET and POST are used to be included into bad escaped SQL requests)
     if ($type != 2)
     {
-        $inj += preg_match('/delete\s+from/i',	 $val);
+    	$inj += preg_match('/updatexml^(/i',	 $val);
+    	$inj += preg_match('/delete\s+from/i',	 $val);
         $inj += preg_match('/create\s+table/i',	 $val);
         $inj += preg_match('/update.+set.+=/i',  $val);
         $inj += preg_match('/insert\s+into/i', 	 $val);