diff --git a/htdocs/commande/class/commande.class.php b/htdocs/commande/class/commande.class.php
index de93ff778c4..02ea14142fc 100644
--- a/htdocs/commande/class/commande.class.php
+++ b/htdocs/commande/class/commande.class.php
@@ -365,7 +365,7 @@ class Commande extends CommonOrder
 
 		// Validate
 		$sql = "UPDATE ".MAIN_DB_PREFIX."commande";
-		$sql.= " SET ref = '".$num."',";
+		$sql.= " SET ref = '".$this->db->escape($num)."',";
 		$sql.= " fk_statut = ".self::STATUS_VALIDATED.",";
 		$sql.= " date_valid='".$this->db->idate($now)."',";
 		$sql.= " fk_user_valid = ".$user->id;