From 1a9e98cda9563b42f1f7e7d1faf215d165ff34bb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Doursenaud?= <rdoursenaud@gpcsolutions.fr>
Date: Fri, 8 Aug 2014 19:30:21 +0200
Subject: [PATCH 01/18] Fix categories bug

When using the string type,
$typeid == 1 matched all strings making other conditions ineffective.
---
 htdocs/categories/class/categorie.class.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php
index b7e2ed030ab..1788f2e1ac6 100644
--- a/htdocs/categories/class/categorie.class.php
+++ b/htdocs/categories/class/categorie.class.php
@@ -1123,11 +1123,11 @@ class Categorie
 		$cats = array();
 
 		$table=''; $type='';
-		if ($typeid == 0 || $typeid == 'product')         { $typeid=0; $table='product'; $type='product'; }
-		else if ($typeid == 1 || $typeid == 'supplier')  { $typeid=1; $table='societe'; $type='fournisseur'; }
-		else if ($typeid == 2 || $typeid == 'customer')  { $typeid=2; $table='societe'; $type='societe'; }
-		else if ($typeid == 3 || $typeid == 'member')    { $typeid=3; $table='member';  $type='member'; }
-        else if ($typeid == 4 || $typeid == 'contact')    { $typeid=4; $table='socpeople';  $type='contact'; }
+		if ($typeid === 0 || $typeid == 'product')         { $typeid=0; $table='product'; $type='product'; }
+		else if ($typeid === 1 || $typeid == 'supplier')  { $typeid=1; $table='societe'; $type='fournisseur'; }
+		else if ($typeid === 2 || $typeid == 'customer')  { $typeid=2; $table='societe'; $type='societe'; }
+		else if ($typeid === 3 || $typeid == 'member')    { $typeid=3; $table='member';  $type='member'; }
+        else if ($typeid === 4 || $typeid == 'contact')    { $typeid=4; $table='socpeople';  $type='contact'; }
 
 		$sql = "SELECT ct.fk_categorie, c.label";
 		$sql.= " FROM ".MAIN_DB_PREFIX."categorie_".$type." as ct, ".MAIN_DB_PREFIX."categorie as c";

From 739d309a0d3e38becd20c28bf07e41078fcf49c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Doursenaud?= <rdoursenaud@free.fr>
Date: Thu, 14 Aug 2014 08:46:51 +0200
Subject: [PATCH 02/18] Updated category fix

Categories ID can be passed as strings
PSR code formatting
---
 htdocs/categories/class/categorie.class.php | 29 ++++++++++++++++-----
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/htdocs/categories/class/categorie.class.php b/htdocs/categories/class/categorie.class.php
index 1788f2e1ac6..60b738ea8ba 100644
--- a/htdocs/categories/class/categorie.class.php
+++ b/htdocs/categories/class/categorie.class.php
@@ -1122,12 +1122,29 @@ class Categorie
 	{
 		$cats = array();
 
-		$table=''; $type='';
-		if ($typeid === 0 || $typeid == 'product')         { $typeid=0; $table='product'; $type='product'; }
-		else if ($typeid === 1 || $typeid == 'supplier')  { $typeid=1; $table='societe'; $type='fournisseur'; }
-		else if ($typeid === 2 || $typeid == 'customer')  { $typeid=2; $table='societe'; $type='societe'; }
-		else if ($typeid === 3 || $typeid == 'member')    { $typeid=3; $table='member';  $type='member'; }
-        else if ($typeid === 4 || $typeid == 'contact')    { $typeid=4; $table='socpeople';  $type='contact'; }
+        $table = '';
+        $type = '';
+        if ($typeid === 0 || $typeid === '0' || $typeid == 'product') {
+            $typeid = 0;
+            $table = 'product';
+            $type = 'product';
+        } else if ($typeid === 1 || $typeid === '1' || $typeid == 'supplier') {
+            $typeid = 1;
+            $table = 'societe';
+            $type = 'fournisseur';
+        } else if ($typeid === 2 || $typeid === '2' || $typeid == 'customer') {
+            $typeid = 2;
+            $table = 'societe';
+            $type = 'societe';
+        } else if ($typeid === 3 || $typeid === '3' || $typeid == 'member') {
+            $typeid = 3;
+            $table = 'member';
+            $type = 'member';
+        } else if ($typeid === 4 || $typeid === '4' || $typeid == 'contact') {
+            $typeid = 4;
+            $table = 'socpeople';
+            $type = 'contact';
+        }
 
 		$sql = "SELECT ct.fk_categorie, c.label";
 		$sql.= " FROM ".MAIN_DB_PREFIX."categorie_".$type." as ct, ".MAIN_DB_PREFIX."categorie as c";

From bff33166a59bf5e4ba20b9bdbd274a44f36b4741 Mon Sep 17 00:00:00 2001
From: Florian HENRY <florian.henry@open-concept.pro>
Date: Mon, 1 Sep 2014 11:49:44 +0200
Subject: [PATCH 03/18] Fix missing $user in create method

---
 htdocs/categories/fiche.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htdocs/categories/fiche.php b/htdocs/categories/fiche.php
index d43c4df9a3d..58b4696c305 100644
--- a/htdocs/categories/fiche.php
+++ b/htdocs/categories/fiche.php
@@ -132,7 +132,7 @@ if ($action == 'add' && $user->rights->categorie->creer)
 	// Create category in database
 	if (! $error)
 	{
-		$result = $object->create();
+		$result = $object->create($user);
 		if ($result > 0)
 		{
 			$action = 'confirmed';

From 67b308cb2549550777d76551800db94c4cf2b3d0 Mon Sep 17 00:00:00 2001
From: Florian HENRY <florian.henry@open-concept.pro>
Date: Tue, 2 Sep 2014 11:14:41 +0200
Subject: [PATCH 04/18] Fix: list event view lost type event filter

---
 ChangeLog                          | 1 +
 htdocs/comm/action/listactions.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 80696a3d7a6..9a40ed7e9ab 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,6 +22,7 @@ Fix: Missing include files.lib.php in some pages to use dol_delete_recursive.
 Fix: [ bug #1558 ] Product/service edit page title shows new Ref instead of old ref.
 Fix: [ bug #1553 ] Saving User displays setup removes menu.
 Fix: [ bug #1544 ] Can remove date from invoice
+Fix: list event view lost type event filter
 
 ***** ChangeLog for 3.5.4 compared to 3.5.3 *****
 Fix: Hide title of event when agenda module disabled.
diff --git a/htdocs/comm/action/listactions.php b/htdocs/comm/action/listactions.php
index ebe68fa3328..8b945a16670 100644
--- a/htdocs/comm/action/listactions.php
+++ b/htdocs/comm/action/listactions.php
@@ -211,7 +211,7 @@ if ($resql)
     $head = calendars_prepare_head('');
 
     dol_fiche_head($head, 'card', $langs->trans('Events'), 0, 'list');
-    print_actions_filter($form,$canedit,$status,$year,$month,$day,$showbirthday,$filtera,$filtert,$filterd,$pid,$socid,-1);
+    print_actions_filter($form,$canedit,$status,$year,$month,$day,$showbirthday,$filtera,$filtert,$filterd,$pid,$socid,-1,$actioncode);
     dol_fiche_end();
 
     // Add link to show birthdays

From 911aca399ddad5ecc9ebe7100eff5f89d31687f4 Mon Sep 17 00:00:00 2001
From: Florian HENRY <florian.henry@open-concept.pro>
Date: Tue, 2 Sep 2014 11:30:35 +0200
Subject: [PATCH 05/18] save code event

---
 ChangeLog                                     | 1 +
 htdocs/comm/action/class/actioncomm.class.php | 1 +
 2 files changed, 2 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 9a40ed7e9ab..3b4def098c1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,6 +23,7 @@ Fix: [ bug #1558 ] Product/service edit page title shows new Ref instead of old
 Fix: [ bug #1553 ] Saving User displays setup removes menu.
 Fix: [ bug #1544 ] Can remove date from invoice
 Fix: list event view lost type event filter
+Fix: Add code save on create event
 
 ***** ChangeLog for 3.5.4 compared to 3.5.3 *****
 Fix: Hide title of event when agenda module disabled.
diff --git a/htdocs/comm/action/class/actioncomm.class.php b/htdocs/comm/action/class/actioncomm.class.php
index 10082062d06..b51b33e5b66 100644
--- a/htdocs/comm/action/class/actioncomm.class.php
+++ b/htdocs/comm/action/class/actioncomm.class.php
@@ -140,6 +140,7 @@ class ActionComm extends CommonObject
             if ($result > 0)
             {
                 $this->type_id=$cactioncomm->id;
+                $this->code=$cactioncomm->code;
             }
             else if ($result == 0)
             {

From b536c8a10c0d5267af13c8ffb3bd31aae558c1d5 Mon Sep 17 00:00:00 2001
From: Florian HENRY <florian.henry@open-concept.pro>
Date: Wed, 3 Sep 2014 10:24:41 +0200
Subject: [PATCH 06/18] Add missing image into amarok theme

---
 htdocs/theme/amarok/img/object_address.png | Bin 0 -> 1645 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 htdocs/theme/amarok/img/object_address.png

diff --git a/htdocs/theme/amarok/img/object_address.png b/htdocs/theme/amarok/img/object_address.png
new file mode 100644
index 0000000000000000000000000000000000000000..b20734da69abc6d778f525e70f27b74ff67f07b2
GIT binary patch
literal 1645
zcmeAS@N?(olHy`uVBq!ia0vp^d?3uh1|;P@bT0xa$r9IylHmNblJdl&R0hYC{G?O`
z&)mfH)S%SFl*+=BsWuD@%u1Od5hW46K32*3xq68pHF_1f1wh>l3^w)^1&PVosU-?Y
zsp*+{wo31J?^jaDOtDo8H}y5}EpSfF$n>ZxN)4{^3rViZPPR-@vbR&PsjvbXkegbP
zs8ErclUHn2VXFi-*9yo63F|8<fR&VF+bTgE72zA8;GAESs$i;Tpqp%9W}skZsAp(w
zVs37(qhMrUXrOOkq;F`XYiMp|Y-D9%pa2C*K--E^(yW49+@N*=dA3R!B_#z``ugSN
z<$C4Ddih1^`i7R4mLM~XjC6r2bc-wVN)jt{^NN*WCb*;)Cl_TFlw{`TDS%8&Ov*1U
zu~h=P6yk;40=Thx#n4~^2AF<DVu8M)o&m^9FonLp_?717!c`ZS1f?R}i`C%bkjjEo
z{h-w1{L-RiV8o><gRCmBaxO|uEXgkl$<NP$g<?QPeo20DMt*^UbFis`Z(?$09*7TC
z@9S&jnO9trn3tUD>0+w{G(j&jGsVin(!#{m#Ms!(3>eCWu7(z-t_H3y=FVo0#>N(I
zu5K{BF8Rr&xv6<2Fuf@Vy(T#If|5dR0nlcb)S}F?)D*X({9FaFm#s2!yTuTvc~HG6
zxZPreQ?EYIG5Vm0MT%&c5HR(CnDAr^<iHbtY927P7Xg#?u1QXu3=B*UJzX3_DsIJ0
zzUv>vC~<85XU69X7Cd4X;>gR0ytSq1*{xsaZf(*JU)$epxBk@4taY=a%(v#<ib^XD
z&&{2=Zd+bd^tGrfuBqo#0-FwbvAQ%eS2Yw1SUf+n=f$Gu@<0CG`(7J&=xLFn0Efa%
zpQN-jw$FcTq^_GBdRd|*!<Xo}^Pt(Ac{_q4^6sAhx%b;9rfqv)mz7UAR<Fn@#KOqJ
zT-SYFeAf!2D{}Tl&k6!#w{oVqW$dnhzHH(8?d9Ab`!zT?+MPc9D-ciPELG=P``j%5
z{@V2`H!TRzbv`a|BHg2=eD}vC%b)Aa<qpvjU9@n)wTA^|2Hs)w@}u@&jo6>0`9*3$
z!^DZl11yCde6%&T>bM&<hs}CyVIkAk+yA@0`m#~(zB}8*ZqLeI5T=q5$)(lh5EUdK
zy6M3q$q$pH7VZdgTh_v|@6VIG9E;MsF+saUx37zHDk>BDRZ~@XEyAdKr3aV2vu01r
zCW$#chmRlSyp*<i<-x3;m-b~cs{}9H321HSf2TY<`bvpT@5e|%<vPZ^_c~L=Yfscw
zFxxq6O{xBK{Uq<1LmT&c^B$QKH(xnZ@bTjd;p+~uOg}hZ#`my>!L90qnwzY4`<a+C
zPx`whU!3Nfdi2Qe@V^mf&oA7&m|17_!Q<~8d;ZRAlw|bT!DjesW`oZ~f$md|lSCXZ
zb1iZ4*1oo6-r`wG;-W`edH&eRm6){_UN=!%BPzN{E_f=tpw6l$liz+3It)wG9Ny<N
zm;L7R2x6P0qdYU}#9U4OH5(bzrX8KJl5fuWnJa#MTk`wJx@Eh!sCc@l$h4hIiOT7_
z`;T#cyIbJq^`g5T1%0?^P!k`|&35qi_T@LrdY7CHj+)Ci#cz4^^N$rSyr;wN?Y=E5
zKjYLU*J)8Fv~-!)otLcpaq}`)=#vi@o!R9kn%K(wt1LJt88mn9-2CQ)4<_iG=8Fu}
z6It<ONBWsW!N2GHzp6fZ*|saS++$W})S7E|lsN=k1$hoXSkJ)Bu+Y(`I`iyL5l{u-
M>FVdQ&MBb@0E{els{jB1

literal 0
HcmV?d00001


From 522b5a91bc8d9b7a87bbf2269384725b29d3202a Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 6 Sep 2014 00:21:09 +0200
Subject: [PATCH 07/18] Fix: Filter on direction of payment mode was not
 working.

Conflicts:
	htdocs/core/class/html.form.class.php
	htdocs/fourn/facture/fiche.php
---
 htdocs/compta/facture.php             |  6 +++---
 htdocs/core/class/html.form.class.php | 15 ++++++++-------
 htdocs/fourn/facture/fiche.php        |  8 ++++----
 3 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/htdocs/compta/facture.php b/htdocs/compta/facture.php
index e0590d422fd..b17b59cf704 100644
--- a/htdocs/compta/facture.php
+++ b/htdocs/compta/facture.php
@@ -2352,7 +2352,7 @@ if ($action == 'create')
 
 	// Payment mode
 	print '<tr><td>'.$langs->trans('PaymentMode').'</td><td colspan="2">';
-	$form->select_types_paiements(isset($_POST['mode_reglement_id'])?$_POST['mode_reglement_id']:$mode_reglement_id,'mode_reglement_id');
+	$form->select_types_paiements(isset($_POST['mode_reglement_id'])?$_POST['mode_reglement_id']:$mode_reglement_id, 'mode_reglement_id', 'CRDT');
 	print '</td></tr>';
 
 	// Project
@@ -3356,11 +3356,11 @@ else if ($id > 0 || ! empty($ref))
 	print '</td><td colspan="3">';
 	if ($action == 'editmode')
 	{
-		$form->form_modes_reglement($_SERVER['PHP_SELF'].'?facid='.$object->id,$object->mode_reglement_id,'mode_reglement_id');
+		$form->form_modes_reglement($_SERVER['PHP_SELF'].'?facid='.$object->id, $object->mode_reglement_id, 'mode_reglement_id', 'CRDT');
 	}
 	else
 	{
-		$form->form_modes_reglement($_SERVER['PHP_SELF'].'?facid='.$object->id,$object->mode_reglement_id,'none');
+		$form->form_modes_reglement($_SERVER['PHP_SELF'].'?facid='.$object->id, $object->mode_reglement_id, 'none', 'CRDT');
 	}
 	print '</td></tr>';
 
diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index b596ba911ae..f55eb81cdcc 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -2275,8 +2275,8 @@ class Form
         dol_syslog(get_class($this)."::select_type_paiements ".$selected.", ".$htmlname.", ".$filtertype.", ".$format,LOG_DEBUG);
 
         $filterarray=array();
-        if ($filtertype == 'CRDT')  	$filterarray=array(0,2);
-        elseif ($filtertype == 'DBIT') 	$filterarray=array(1,2);
+        if ($filtertype == 'CRDT')  	$filterarray=array(0,2,3);
+        elseif ($filtertype == 'DBIT') 	$filterarray=array(1,2,3);
         elseif ($filtertype != '' && $filtertype != '-1') $filterarray=explode(',',$filtertype);
 
         $this->load_cache_types_paiements();
@@ -3000,12 +3000,13 @@ class Form
     /**
      *    Affiche formulaire de selection des modes de reglement
      *
-     *    @param	string	$page        Page
-     *    @param    int		$selected    Id mode pre-selectionne
-     *    @param    string	$htmlname    Name of select html field
+     *    @param	string	$page        	Page
+     *    @param    int		$selected    	Id mode pre-selectionne
+     *    @param    string	$htmlname    	Name of select html field
+     *    @param  	string	$filtertype		To filter on field type in llx_c_paiement (array('code'=>xx,'label'=>zz))
      *    @return	void
      */
-    function form_modes_reglement($page, $selected='', $htmlname='mode_reglement_id')
+    function form_modes_reglement($page, $selected='', $htmlname='mode_reglement_id', $filtertype='')
     {
         global $langs;
         if ($htmlname != "none")
@@ -3015,7 +3016,7 @@ class Form
             print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
             print '<table class="nobordernopadding" cellpadding="0" cellspacing="0">';
             print '<tr><td>';
-            $this->select_types_paiements($selected,$htmlname);
+            $this->select_types_paiements($selected,$htmlname,$filtertype);
             print '</td>';
             print '<td align="left"><input type="submit" class="button" value="'.$langs->trans("Modify").'"></td>';
             print '</tr></table></form>';
diff --git a/htdocs/fourn/facture/fiche.php b/htdocs/fourn/facture/fiche.php
index 086d44254c8..1c86cfa6d7f 100644
--- a/htdocs/fourn/facture/fiche.php
+++ b/htdocs/fourn/facture/fiche.php
@@ -1279,12 +1279,12 @@ if ($action == 'create')
 
 	// Payment term
 	print '<tr><td class="nowrap">'.$langs->trans('PaymentConditionsShort').'</td><td colspan="2">';
-	$form->select_conditions_paiements(isset($_POST['cond_reglement_id'])?$_POST['cond_reglement_id']:$cond_reglement_id,'cond_reglement_id');
+	$form->select_conditions_paiements(isset($_POST['cond_reglement_id'])?$_POST['cond_reglement_id']:$cond_reglement_id, 'cond_reglement_id');
 	print '</td></tr>';
 
 	// Payment mode
 	print '<tr><td>'.$langs->trans('PaymentMode').'</td><td colspan="2">';
-	$form->select_types_paiements(isset($_POST['mode_reglement_id'])?$_POST['mode_reglement_id']:$mode_reglement_id,'mode_reglement_id');
+	$form->select_types_paiements(isset($_POST['mode_reglement_id'])?$_POST['mode_reglement_id']:$mode_reglement_id, 'mode_reglement_id', 'DBIT');
 	print '</td></tr>';
 
 	// Public note
@@ -1732,11 +1732,11 @@ else
 		print '</td><td colspan="2">';
 		if ($action == 'editmode')
 		{
-			$form->form_modes_reglement($_SERVER['PHP_SELF'].'?id='.$object->id,$object->mode_reglement_id,'mode_reglement_id');
+			$form->form_modes_reglement($_SERVER['PHP_SELF'].'?id='.$object->id, $object->mode_reglement_id, 'mode_reglement_id', 'DBIT');
 		}
 		else
 		{
-			$form->form_modes_reglement($_SERVER['PHP_SELF'].'?id='.$object->id,$object->mode_reglement_id,'none');
+			$form->form_modes_reglement($_SERVER['PHP_SELF'].'?id='.$object->id, $object->mode_reglement_id, 'none', 'DBIT');
 		}
 		print '</td></tr>';
 

From 8dd935821455b81a9f40d806d5f1930f7ab9c2a9 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 13 Sep 2014 19:04:25 +0200
Subject: [PATCH 08/18] Fix: SQL injection

---
 ChangeLog                                        |  7 ++++---
 htdocs/adherents/class/adherent.class.php        |  2 +-
 htdocs/adherents/liste.php                       | 10 +++++-----
 htdocs/cashdesk/index.php                        |  3 ++-
 htdocs/comm/propal/class/propal.class.php        |  2 +-
 htdocs/commande/info.php                         |  6 +++---
 htdocs/commande/orderstoinvoice.php              |  6 +++---
 htdocs/compta/bank/bankid_fr.php                 |  2 +-
 .../prelevement/class/bonprelevement.class.php   |  2 +-
 htdocs/compta/prelevement/liste.php              | 10 +++++-----
 htdocs/compta/prelevement/rejets.php             |  3 ++-
 htdocs/compta/recap-compta.php                   |  2 +-
 htdocs/contact/info.php                          | 10 +++++-----
 htdocs/contrat/class/contrat.class.php           |  4 ++--
 htdocs/contrat/info.php                          |  6 +++---
 htdocs/core/class/commonobject.class.php         |  2 +-
 .../fourn/class/fournisseur.commande.class.php   |  2 +-
 htdocs/holiday/index.php                         |  6 +++---
 htdocs/opensurvey/list.php                       |  6 +++---
 htdocs/product/index.php                         | 12 ++++++------
 htdocs/product/stats/contrat.php                 |  6 +++---
 htdocs/product/stock/liste.php                   | 16 ++++++++--------
 htdocs/product/stock/massstockmove.php           |  6 +++---
 htdocs/product/stock/replenishorders.php         | 13 ++++---------
 htdocs/projet/class/project.class.php            |  2 +-
 htdocs/projet/class/task.class.php               |  2 +-
 htdocs/projet/contact.php                        |  4 ++--
 htdocs/projet/tasks/index.php                    |  6 +++---
 28 files changed, 78 insertions(+), 80 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3b4def098c1..04e63ec1c8e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,9 +21,10 @@ Fix: When disabled, all fields to add time into task line must be disabled.
 Fix: Missing include files.lib.php in some pages to use dol_delete_recursive.
 Fix: [ bug #1558 ] Product/service edit page title shows new Ref instead of old ref.
 Fix: [ bug #1553 ] Saving User displays setup removes menu.
-Fix: [ bug #1544 ] Can remove date from invoice
-Fix: list event view lost type event filter
-Fix: Add code save on create event
+Fix: [ bug #1544 ] Can remove date from invoice.
+Fix: list event view lost type event filter.
+Fix: Add code save on create event.
+Fix: SQL injection.
 
 ***** ChangeLog for 3.5.4 compared to 3.5.3 *****
 Fix: Hide title of event when agenda module disabled.
diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php
index f82f3005514..bf0360c11ce 100644
--- a/htdocs/adherents/class/adherent.class.php
+++ b/htdocs/adherents/class/adherent.class.php
@@ -1072,7 +1072,7 @@ class Adherent extends CommonObject
         if ($rowid) $sql.= " AND d.rowid=".$rowid;
         elseif ($ref || $fk_soc) {
         	$sql.= " AND d.entity IN (".getEntity().")";
-        	if ($ref) $sql.= " AND d.rowid='".$ref."'";
+        	if ($ref) $sql.= " AND d.rowid='".$this->db->escape($ref)."'";
         	elseif ($fk_soc) $sql.= " AND d.fk_soc='".$fk_soc."'";
         }
         elseif ($ref_ext)
diff --git a/htdocs/adherents/liste.php b/htdocs/adherents/liste.php
index 3a34403425f..1d80c82a713 100644
--- a/htdocs/adherents/liste.php
+++ b/htdocs/adherents/liste.php
@@ -118,24 +118,24 @@ if ($type > 0)
 }
 if (isset($_GET["statut"]) || isset($_POST["statut"]))
 {
-	$sql.=" AND d.statut in (".$statut.")";     // Peut valoir un nombre ou liste de nombre separes par virgules
+	$sql.=" AND d.statut in (".$db->escape($statut).")";     // Peut valoir un nombre ou liste de nombre separes par virgules
 }
 if ($search_ref)
 {
-	if (is_numeric($search_ref)) $sql.= " AND (d.rowid = ".$search_ref.")";
+	if (is_numeric($search_ref)) $sql.= " AND (d.rowid = ".$db->escape($search_ref).")";
 	else $sql.=" AND 1 = 2";    // Always wrong
 }
 if ($search_lastname)
 {
-	$sql.= " AND (d.firstname LIKE '%".$search_lastname."%' OR d.lastname LIKE '%".$search_lastname."%')";
+	$sql.= " AND (d.firstname LIKE '%".$db->escape($search_lastname)."%' OR d.lastname LIKE '%".$db->escape($search_lastname)."%')";
 }
 if ($search_login)
 {
-	$sql.= " AND d.login LIKE '%".$search_login."%'";
+	$sql.= " AND d.login LIKE '%".$db->escape($search_logi)."%'";
 }
 if ($search_email)
 {
-	$sql.= " AND (d.email LIKE '%".$search_email."%')";
+	$sql.= " AND (d.email LIKE '%".$db->escape($search_email)."%')";
 }
 if ($filter == 'uptodate')
 {
diff --git a/htdocs/cashdesk/index.php b/htdocs/cashdesk/index.php
index fe4171de72e..25aa73211d2 100644
--- a/htdocs/cashdesk/index.php
+++ b/htdocs/cashdesk/index.php
@@ -39,6 +39,7 @@ if ( $_SESSION['uid'] > 0 )
 }
 
 $usertxt=GETPOST('user','',1);
+$err=GETPOST("err");
 
 
 /*
@@ -64,7 +65,7 @@ top_htmlhead('','',0,0,'',$arrayofcss);
 
 <div class="contenu">
 <div class="principal_login">
-<?php if (! empty($_GET["err"])) print $_GET["err"]."<br><br>\n"; ?>
+<?php if ($err) print dol_escape_htmltag($err)."<br><br>\n"; ?>
 <fieldset class="cadre_facturation"><legend class="titre1"><?php echo $langs->trans("Identification"); ?></legend>
 <form id="frmLogin" method="POST" action="index_verif.php">
 	<input type="hidden" name="token" value="<?php echo $_SESSION['newtoken']; ?>" />
diff --git a/htdocs/comm/propal/class/propal.class.php b/htdocs/comm/propal/class/propal.class.php
index 244333a9a93..1c2fe54cc71 100644
--- a/htdocs/comm/propal/class/propal.class.php
+++ b/htdocs/comm/propal/class/propal.class.php
@@ -1046,7 +1046,7 @@ class Propal extends CommonObject
         $sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'c_input_reason as dr ON p.fk_input_reason = dr.rowid';
         $sql.= " WHERE p.fk_statut = c.id";
         $sql.= " AND p.entity = ".$conf->entity;
-        if ($ref) $sql.= " AND p.ref='".$ref."'";
+        if ($ref) $sql.= " AND p.ref='".$this->db->escape($ref)."'";
         else $sql.= " AND p.rowid=".$rowid;
 
         dol_syslog(get_class($this)."::fetch sql=".$sql, LOG_DEBUG);
diff --git a/htdocs/commande/info.php b/htdocs/commande/info.php
index c874ec049b8..fba4a600031 100644
--- a/htdocs/commande/info.php
+++ b/htdocs/commande/info.php
@@ -34,7 +34,7 @@ $langs->load("sendings");
 
 // Security check
 $socid=0;
-$comid = isset($_GET["id"])?$_GET["id"]:'';
+$comid = GETPOST("id",'int');
 if ($user->societe_id) $socid=$user->societe_id;
 $result=restrictedArea($user,'commande',$comid,'');
 
@@ -47,8 +47,8 @@ $result=restrictedArea($user,'commande',$comid,'');
 llxHeader('',$langs->trans('Order'),'EN:Customers_Orders|FR:Commandes_Clients|ES:Pedidos de clientes');
 
 $commande = new Commande($db);
-$commande->fetch($_GET["id"]);
-$commande->info($_GET["id"]);
+$commande->fetch($comid);
+$commande->info($comid);
 $soc = new Societe($db);
 $soc->fetch($commande->socid);
 
diff --git a/htdocs/commande/orderstoinvoice.php b/htdocs/commande/orderstoinvoice.php
index 7411d3a9368..a2a1974944b 100644
--- a/htdocs/commande/orderstoinvoice.php
+++ b/htdocs/commande/orderstoinvoice.php
@@ -45,7 +45,7 @@ $langs->load('companies');
 if (! $user->rights->facture->creer)
 	accessforbidden();
 
-$id				= (GETPOST('id')?GETPOST("id"):GETPOST("facid"));  // For backward compatibility
+$id				= (GETPOST('id')?GETPOST('id','int'):GETPOST("facid"));  // For backward compatibility
 $ref			= GETPOST('ref','alpha');
 $action			= GETPOST('action','alpha');
 $confirm		= GETPOST('confirm','alpha');
@@ -97,7 +97,7 @@ if (($action == 'create' || $action == 'add') && empty($mesgs))
 	require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';
 	require_once DOL_DOCUMENT_ROOT.'/core/lib/invoice.lib.php';
 	if (! empty($conf->projet->enabled)) require_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
-	
+
 	$langs->load('bills');
 	$langs->load('products');
 	$langs->load('main');
@@ -213,7 +213,7 @@ if (($action == 'create' || $action == 'add') && empty($mesgs))
 							$result=$objectsrc->fetch($orders_id[$ii]);
 							if ($result > 0)
 							{
-								if ($closeOrders) 
+								if ($closeOrders)
 								{
 									$objectsrc->classifyBilled();
 									$objectsrc->setStatut(3);
diff --git a/htdocs/compta/bank/bankid_fr.php b/htdocs/compta/bank/bankid_fr.php
index d193ff83b59..152a3466db1 100644
--- a/htdocs/compta/bank/bankid_fr.php
+++ b/htdocs/compta/bank/bankid_fr.php
@@ -34,7 +34,7 @@ $langs->load("categories");
 $langs->load("bills");
 
 $action=GETPOST('action');
-$id=GETPOST('id');
+$id=GETPOST('id','int');
 
 // Security check
 if (isset($_GET["id"]) || isset($_GET["ref"]))
diff --git a/htdocs/compta/prelevement/class/bonprelevement.class.php b/htdocs/compta/prelevement/class/bonprelevement.class.php
index 740d92ac0d8..aa2ff1564b6 100644
--- a/htdocs/compta/prelevement/class/bonprelevement.class.php
+++ b/htdocs/compta/prelevement/class/bonprelevement.class.php
@@ -907,7 +907,7 @@ class BonPrelevement extends CommonObject
                 $sql = "INSERT INTO ".MAIN_DB_PREFIX."prelevement_bons (";
                 $sql.= " ref, entity, datec";
                 $sql.= ") VALUES (";
-                $sql.= "'".$ref."'";
+                $sql.= "'".$this->db->escape($ref)."'";
                 $sql.= ", ".$conf->entity;
                 $sql.= ", '".$this->db->idate($now)."'";
                 $sql.= ")";
diff --git a/htdocs/compta/prelevement/liste.php b/htdocs/compta/prelevement/liste.php
index 2cd859969a9..2767d456d22 100644
--- a/htdocs/compta/prelevement/liste.php
+++ b/htdocs/compta/prelevement/liste.php
@@ -78,19 +78,19 @@ $sql.= " AND f.entity = ".$conf->entity;
 if ($socid) $sql.= " AND s.rowid = ".$socid;
 if ($search_line)
 {
-    $sql.= " AND pl.rowid = '".$search_line."'";
+    $sql.= " AND pl.rowid = '".$db->escape($search_line)."'";
 }
 if ($search_bon)
 {
-    $sql.= " AND p.ref LIKE '%".$search_bon."%'";
+    $sql.= " AND p.ref LIKE '%".$db->escape($search_bon)."%'";
 }
 if ($search_code)
 {
-    $sql.= " AND s.code_client LIKE '%".$search_code."%'";
+    $sql.= " AND s.code_client LIKE '%".$db->escape($search_code)."%'";
 }
 if ($search_societe)
 {
-    $sql .= " AND s.nom LIKE '%".$search_societe."%'";
+    $sql .= " AND s.nom LIKE '%".$db->escape($search_societe)."%'";
 }
 $sql.=$db->order($sortfield,$sortorder);
 $sql.=$db->plimit($conf->liste_limit+1, $offset);
@@ -104,7 +104,7 @@ if ($result)
     $urladd = "&amp;statut=".$statut;
     $urladd .= "&amp;search_bon=".$search_bon;
 
-    print_barre_liste($langs->trans("WithdrawalsLines"), $page, "liste.php", $urladd, $sortfield, $sortorder, '', $num);
+    print_barre_liste($langs->trans("WithdrawalsLines"), $page, $_SERVER["PHP_SELF"], $urladd, $sortfield, $sortorder, '', $num);
 
     print"\n<!-- debut table -->\n";
     print '<table class="liste" width="100%">';
diff --git a/htdocs/compta/prelevement/rejets.php b/htdocs/compta/prelevement/rejets.php
index b307717e4b3..b511f79cdd7 100644
--- a/htdocs/compta/prelevement/rejets.php
+++ b/htdocs/compta/prelevement/rejets.php
@@ -76,7 +76,8 @@ $sql.= " AND pl.fk_prelevement_bons = p.rowid";
 $sql.= " AND pl.fk_soc = s.rowid";
 $sql.= " AND p.entity = ".$conf->entity;
 if ($socid) $sql.= " AND s.rowid = ".$socid;
-$sql .= " ORDER BY $sortfield $sortorder " . $db->plimit($conf->liste_limit+1, $offset);
+$sql.= " ".$db->order($sortfield, $sortorder);
+$sql.= " ".$db->plimit($conf->liste_limit+1, $offset);
 
 $result = $db->query($sql);
 if ($result)
diff --git a/htdocs/compta/recap-compta.php b/htdocs/compta/recap-compta.php
index 609a624adce..e0b9dd5cf45 100644
--- a/htdocs/compta/recap-compta.php
+++ b/htdocs/compta/recap-compta.php
@@ -30,7 +30,7 @@ $langs->load("companies");
 if (! empty($conf->facture->enabled)) $langs->load("bills");
 
 // Security check
-$socid = $_GET["socid"];
+$socid = GETPOST("socid",'int');
 if ($user->societe_id > 0)
 {
   $action = '';
diff --git a/htdocs/contact/info.php b/htdocs/contact/info.php
index 939b0252623..3ac6747bb6b 100644
--- a/htdocs/contact/info.php
+++ b/htdocs/contact/info.php
@@ -31,22 +31,22 @@ require_once DOL_DOCUMENT_ROOT.'/core/lib/contact.lib.php';
 $langs->load("companies");
 
 // Security check
-$contactid = isset($_GET["id"])?$_GET["id"]:'';
+$contactid = GETPOST("id",'int');
 if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user, 'contact', $contactid, 'socpeople&societe');
 
 
 
 /*
-* 	View
-*/
+ * 	View
+ */
 
 llxHeader('',$langs->trans("ContactsAddresses"),'EN:Module_Third_Parties|FR:Module_Tiers|ES:M&oacute;dulo_Empresas');
 
 
 $contact = new Contact($db);
-$contact->fetch($_GET["id"], $user);
-$contact->info($_GET["id"]);
+$contact->fetch($contactid, $user);
+$contact->info($contactid);
 
 
 $head = contact_prepare_head($contact);
diff --git a/htdocs/contrat/class/contrat.class.php b/htdocs/contrat/class/contrat.class.php
index 7da3e5aaf7e..dbe3778629e 100644
--- a/htdocs/contrat/class/contrat.class.php
+++ b/htdocs/contrat/class/contrat.class.php
@@ -410,7 +410,7 @@ class Contrat extends CommonObject
 		$sql.= " FROM ".MAIN_DB_PREFIX."contrat";
 		if ($ref)
 		{
-			$sql.= " WHERE ref='".$ref."'";
+			$sql.= " WHERE ref='".$this->db->escape($ref)."'";
 			$sql.= " AND entity IN (".getEntity('contract').")";
 		}
 		else $sql.= " WHERE rowid=".$id;
@@ -1942,7 +1942,7 @@ class ContratLigne
 		$sql.= " t.commentaire";
 		$sql.= " FROM ".MAIN_DB_PREFIX."contratdet as t";
 		if ($id)  $sql.= " WHERE t.rowid = ".$id;
-		if ($ref) $sql.= " WHERE t.rowid = '".$ref."'";
+		if ($ref) $sql.= " WHERE t.rowid = '".$this->db->escape($ref)."'";
 
 		dol_syslog(get_class($this)."::fetch sql=".$sql, LOG_DEBUG);
 		$resql=$this->db->query($sql);
diff --git a/htdocs/contrat/info.php b/htdocs/contrat/info.php
index 8764c53eea5..aab25122885 100644
--- a/htdocs/contrat/info.php
+++ b/htdocs/contrat/info.php
@@ -29,7 +29,7 @@ require_once DOL_DOCUMENT_ROOT.'/contrat/class/contrat.class.php';
 $langs->load("contracts");
 
 // Security check
-$contratid = isset($_GET["id"])?$_GET["id"]:'';
+$contratid = GETPOST("id",'int');
 if ($user->societe_id) $socid=$user->societe_id;
 $result = restrictedArea($user, 'contrat',$contratid,'');
 
@@ -41,8 +41,8 @@ $result = restrictedArea($user, 'contrat',$contratid,'');
 llxHeader();
 
 $contrat = new Contrat($db);
-$contrat->fetch($_GET["id"]);
-$contrat->info($_GET["id"]);
+$contrat->fetch($contratid);
+$contrat->info($contratid);
 
 $head = contract_prepare_head($contrat);
 
diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php
index bdffb1fc708..dc2fe2888ad 100644
--- a/htdocs/core/class/commonobject.class.php
+++ b/htdocs/core/class/commonobject.class.php
@@ -2002,7 +2002,7 @@ abstract class CommonObject
         $sql.= " FROM ".MAIN_DB_PREFIX.$this->table_element;
         $sql.= " WHERE entity IN (".getEntity($this->element, 1).")";
         if (! empty($id))  $sql.= " AND rowid = ".$id;
-        if (! empty($ref)) $sql.= " AND ref = '".$ref."'";
+        if (! empty($ref)) $sql.= " AND ref = '".$this->db->escape($ref)."'";
 
         $resql = $this->db->query($sql);
         if ($resql)
diff --git a/htdocs/fourn/class/fournisseur.commande.class.php b/htdocs/fourn/class/fournisseur.commande.class.php
index 6d0edce5a65..abcf8755991 100644
--- a/htdocs/fourn/class/fournisseur.commande.class.php
+++ b/htdocs/fourn/class/fournisseur.commande.class.php
@@ -132,7 +132,7 @@ class CommandeFournisseur extends CommonOrder
         $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."c_paiement as p ON (c.fk_mode_reglement = p.id)";
         $sql.= " LEFT JOIN ".MAIN_DB_PREFIX."c_input_method as cm ON cm.rowid = c.fk_input_method";
         $sql.= " WHERE c.entity = ".$conf->entity;
-        if ($ref) $sql.= " AND c.ref='".$ref."'";
+        if ($ref) $sql.= " AND c.ref='".$this->db->escape($ref)."'";
         else $sql.= " AND c.rowid=".$id;
 
         dol_syslog(get_class($this)."::fetch sql=".$sql,LOG_DEBUG);
diff --git a/htdocs/holiday/index.php b/htdocs/holiday/index.php
index e7c4b0a3d50..5f6c509902f 100644
--- a/htdocs/holiday/index.php
+++ b/htdocs/holiday/index.php
@@ -51,7 +51,7 @@ $offset = $conf->liste_limit * $page ;
 $pageprev = $page - 1;
 $pagenext = $page + 1;
 
-$id = GETPOST('id');
+$id = GETPOST('id','int');
 
 $search_ref      = GETPOST('search_ref');
 $month_create    = GETPOST('month_create');
@@ -249,7 +249,7 @@ if ($id > 0)
 }
 else {
 	print '</div>';
-} 
+}
 
 print '<form method="get" action="'.$_SERVER["PHP_SELF"].'">'."\n";
 print '<table class="noborder" width="100%;">';
@@ -299,7 +299,7 @@ if($user->rights->holiday->lire_tous)
     $form->select_users($search_valideur,"search_valideur",1,"",0,$valideurarray,'');
     print '</td>';
 }
-else 
+else
 {
     print '<td class="liste_titre">&nbsp;</td>';
 }
diff --git a/htdocs/opensurvey/list.php b/htdocs/opensurvey/list.php
index 908a01db8fd..cad3ffdf568 100644
--- a/htdocs/opensurvey/list.php
+++ b/htdocs/opensurvey/list.php
@@ -26,7 +26,7 @@ require_once(DOL_DOCUMENT_ROOT."/core/lib/admin.lib.php");
 require_once(DOL_DOCUMENT_ROOT."/core/lib/files.lib.php");
 
 $action=GETPOST('action');
-$id=GETPOST('id');
+$id=GETPOST('id','alpha');
 $numsondage=substr($id, 0, 16);
 
 if (! $sortorder) $sortorder="ASC";
@@ -47,9 +47,9 @@ if ($action == 'delete_confirm')
 	$db->begin();
 
 	$object=new Opensurveysondage($db);
-	
+
 	$result=$object->delete($user,'',$numsondageadmin);
-	
+
 	$db->commit();
 }
 
diff --git a/htdocs/product/index.php b/htdocs/product/index.php
index 906bba70e5b..6c93c85da9f 100644
--- a/htdocs/product/index.php
+++ b/htdocs/product/index.php
@@ -27,7 +27,7 @@ require '../main.inc.php';
 require_once DOL_DOCUMENT_ROOT.'/product/class/product.class.php';
 require_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php';
 
-$type=isset($_GET["type"])?$_GET["type"]:(isset($_POST["type"])?$_POST["type"]:'');
+$type=GETPOST("type",'int');
 if ($type =='' && !$user->rights->produit->lire) $type='1';	// Force global page on service page only
 if ($type =='' && !$user->rights->service->lire) $type='0';	// Force global page on product page only
 
@@ -261,7 +261,7 @@ else
 
 
 // TODO Move this into a page that should be available into menu "accountancy - report - turnover - per quarter"
-// Also method used for counting must provide the 2 possible methods like done by all other reports into menu "accountancy - report - turnover": 
+// Also method used for counting must provide the 2 possible methods like done by all other reports into menu "accountancy - report - turnover":
 // "commitment engagment" method and "cash accounting" method
 if ($conf->global->MAIN_FEATURES_LEVEL)
 {
@@ -283,8 +283,8 @@ $db->close();
 function activitytrim($product_type)
 {
 	global $conf,$langs,$db;
-	
-	// We display the last 3 years 
+
+	// We display the last 3 years
 	$yearofbegindate=date('Y',dol_time_plus_duree(time(), -3, "y"));
 
 	// breakdown by quarter
@@ -311,7 +311,7 @@ function activitytrim($product_type)
 		$trim4=0;
 		$lgn = 0;
 		$num = $db->num_rows($result);
-		
+
 		if ($num > 0 )
 		{
 			print '<br>';
@@ -353,7 +353,7 @@ function activitytrim($product_type)
 				$trim3=0;
 				$trim4=0;
 			}
-			
+
 			if ($objp->mois == "01" || $objp->mois == "02" || $objp->mois == "03")
 				$trim1 += $objp->Mnttot;
 
diff --git a/htdocs/product/stats/contrat.php b/htdocs/product/stats/contrat.php
index 8c5a76e1ac9..982d8d4287e 100644
--- a/htdocs/product/stats/contrat.php
+++ b/htdocs/product/stats/contrat.php
@@ -70,7 +70,7 @@ if ($id > 0 || ! empty($ref))
 {
 	$product = new Product($db);
 	$result = $product->fetch($id, $ref);
-	
+
 	$parameters=array('id'=>$id);
 	$reshook=$hookmanager->executeHooks('doActions',$parameters,$product,$action);    // Note that $action and $object may have been modified by some hooks
 	$error=$hookmanager->error; $errors=$hookmanager->errors;
@@ -83,7 +83,7 @@ if ($id > 0 || ! empty($ref))
 		$titre=$langs->trans("CardProduct".$product->type);
 		$picto=($product->type==1?'service':'product');
 		dol_fiche_head($head, 'referers', $titre, 0, $picto);
-		
+
 		$reshook=$hookmanager->executeHooks('formObjectOptions',$parameters,$product,$action);    // Note that $action and $object may have been modified by hook
 
 		print '<table class="border" width="100%">';
@@ -135,7 +135,7 @@ if ($id > 0 || ! empty($ref))
 		if (!$user->rights->societe->client->voir && !$socid) $sql.= " AND s.rowid = sc.fk_soc AND sc.fk_user = " .$user->id;
 		if ($socid) $sql.= " AND s.rowid = ".$socid;
 		$sql.= " GROUP BY c.rowid, c.date_contrat, c.statut, s.nom, s.rowid, s.code_client";
-		$sql.= " ORDER BY $sortfield $sortorder";
+		$sql.= $db->order($sortfield, $sortorder);
 		$sql.= $db->plimit($conf->liste_limit +1, $offset);
 
 		$result = $db->query($sql);
diff --git a/htdocs/product/stock/liste.php b/htdocs/product/stock/liste.php
index 55e6f858124..04b866b0544 100644
--- a/htdocs/product/stock/liste.php
+++ b/htdocs/product/stock/liste.php
@@ -31,12 +31,12 @@ $langs->load("stocks");
 // Security check
 $result=restrictedArea($user,'stock');
 
-$sref=isset($_GET["sref"])?$_GET["sref"]:$_POST["sref"];
-$snom=isset($_GET["snom"])?$_GET["snom"]:$_POST["snom"];
-$sall=isset($_GET["sall"])?$_GET["sall"]:$_POST["sall"];
+$sref=GETPOST("sref");;
+$snom=GETPOST("snom");
+$sall=GETPOST("sall");
 
-$sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];
-$sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"];
+$sortfield = GETPOST("sortfield");
+$sortorder = GETPOST("sortorder");
 if (! $sortfield) $sortfield="e.label";
 if (! $sortorder) $sortorder="ASC";
 $page = $_GET["page"];
@@ -50,13 +50,13 @@ $sql.= " FROM ".MAIN_DB_PREFIX."entrepot as e";
 $sql.= " WHERE e.entity = ".$conf->entity;
 if ($sref)
 {
-    $sql.= " AND e.label like '%".$sref."%'";
+    $sql.= " AND e.label like '%".$db->escape($sref)."%'";
 }
 if ($sall)
 {
-    $sql.= " AND (e.description like '%".$sall."%' OR e.lieu like '%".$sall."%' OR e.address like '%".$sall."%' OR e.town like '%".$sall."%')";
+    $sql.= " AND (e.description like '%".$db->escape($sall)."%' OR e.lieu like '%".$db->escape($sall)."%' OR e.address like '%".$db->escape($sall)."%' OR e.town like '%".$db->escape($sall)."%')";
 }
-$sql.= " ORDER BY $sortfield $sortorder";
+$sql.= $db->order($sortfield,$sortorder);
 $sql.= $db->plimit($limit+1, $offset);
 
 $result = $db->query($sql);
diff --git a/htdocs/product/stock/massstockmove.php b/htdocs/product/stock/massstockmove.php
index 6159a4362e9..481adbd848b 100644
--- a/htdocs/product/stock/massstockmove.php
+++ b/htdocs/product/stock/massstockmove.php
@@ -44,9 +44,9 @@ $result=restrictedArea($user,'produit|service');
 //checks if a product has been ordered
 
 $action = GETPOST('action','alpha');
-$id_product = GETPOST('productid', 'productid');
-$id_sw = GETPOST('id_sw', 'id_sw');
-$id_tw = GETPOST('id_tw', 'id_tw');
+$id_product = GETPOST('productid', 'int');
+$id_sw = GETPOST('id_sw', 'int');
+$id_tw = GETPOST('id_tw', 'int');
 $qty = GETPOST('qty');
 $idline = GETPOST('idline');
 
diff --git a/htdocs/product/stock/replenishorders.php b/htdocs/product/stock/replenishorders.php
index b1d2ec5c69d..7b64151c3dd 100644
--- a/htdocs/product/stock/replenishorders.php
+++ b/htdocs/product/stock/replenishorders.php
@@ -72,13 +72,8 @@ $sproduct = GETPOST('sproduct', 'int');
 $sortorder = GETPOST('sortorder', 'alpha');
 $sortfield = GETPOST('sortfield', 'alpha');
 
-if (!$sortorder) {
-    $sortorder = 'DESC';
-}
-
-if (!$sortfield) {
-    $sortfield = 'cf.date_creation';
-}
+if (!$sortorder) $sortorder = 'DESC';
+if (!$sortfield) $sortfield = 'cf.date_creation';
 
 $offset = $conf->liste_limit * $page ;
 
@@ -146,7 +141,7 @@ if (GETPOST('statut', 'int')) {
 }
 $sql .= ' GROUP BY cf.rowid, cf.ref, cf.date_creation, cf.fk_statut';
 $sql .= ', cf.total_ttc, cf.fk_user_author, u.login, s.rowid, s.nom';
-$sql .= ' ORDER BY ' . $sortfield . ' ' . $sortorder  . ' ';
+$sql .= $db->order($sortfield, $sortorder);
 $sql .= $db->plimit($conf->liste_limit+1, $offset);
 $resql = $db->query($sql);
 if ($resql)
@@ -317,7 +312,7 @@ if ($resql)
          '</form>';
 
     $db->free($resql);
-    
+
     dol_fiche_end();
 }
 else
diff --git a/htdocs/projet/class/project.class.php b/htdocs/projet/class/project.class.php
index d42262ffe4f..edfbdb38b2a 100644
--- a/htdocs/projet/class/project.class.php
+++ b/htdocs/projet/class/project.class.php
@@ -297,7 +297,7 @@ class Project extends CommonObject
         }
         else if (! empty($ref))
         {
-        	$sql.= " WHERE ref='".$ref."'";
+        	$sql.= " WHERE ref='".$this->db->escape($ref)."'";
         	$sql.= " AND entity IN (".getEntity('project').")";
         }
 
diff --git a/htdocs/projet/class/task.class.php b/htdocs/projet/class/task.class.php
index 57b1ecc695e..4f883e1b743 100644
--- a/htdocs/projet/class/task.class.php
+++ b/htdocs/projet/class/task.class.php
@@ -207,7 +207,7 @@ class Task extends CommonObject
         $sql.= " FROM ".MAIN_DB_PREFIX."projet_task as t";
         $sql.= " WHERE ";
         if (!empty($ref)) {
-        	$sql.="t.ref = '".$ref."'";
+        	$sql.="t.ref = '".$this->db->escape($ref)."'";
         }else {
         	$sql.="t.rowid = ".$id;
         }
diff --git a/htdocs/projet/contact.php b/htdocs/projet/contact.php
index 3e44f9a0ed9..3da43cd5b81 100644
--- a/htdocs/projet/contact.php
+++ b/htdocs/projet/contact.php
@@ -93,7 +93,7 @@ if ($action == 'swapstatut' && $user->rights->projet->creer)
 {
 	if ($object->fetch($id))
 	{
-	    $result=$object->swapContactStatus(GETPOST('ligne'));
+	    $result=$object->swapContactStatus(GETPOST('ligne','int'));
 	}
 	else
 	{
@@ -105,7 +105,7 @@ if ($action == 'swapstatut' && $user->rights->projet->creer)
 if (($action == 'deleteline' || $action == 'deletecontact') && $user->rights->projet->creer)
 {
 	$object->fetch($id);
-	$result = $object->delete_contact($_GET["lineid"]);
+	$result = $object->delete_contact(GETPOST("lineid"));
 
 	if ($result >= 0)
 	{
diff --git a/htdocs/projet/tasks/index.php b/htdocs/projet/tasks/index.php
index 5483c41e411..a798157dd11 100644
--- a/htdocs/projet/tasks/index.php
+++ b/htdocs/projet/tasks/index.php
@@ -41,9 +41,9 @@ $socid=0;
 if ($user->societe_id > 0) $socid = $user->societe_id;
 if (!$user->rights->projet->lire) accessforbidden();
 
-$sortfield = isset($_GET["sortfield"])?$_GET["sortfield"]:$_POST["sortfield"];
-$sortorder = isset($_GET["sortorder"])?$_GET["sortorder"]:$_POST["sortorder"];
-$page = isset($_GET["page"])? $_GET["page"]:$_POST["page"];
+$sortfield = GETPOST("sortfield");
+$sortorder = GETPOST("sortorder");
+$page = GETPOST("page");
 $page = is_numeric($page) ? $page : 0;
 $page = $page == -1 ? 0 : $page;
 

From ba70c1a08a8793b773729e9e87e9444b5a64623b Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sat, 13 Sep 2014 20:47:34 +0200
Subject: [PATCH 09/18] Fix: typo on debian files

---
 build/debian/control            | 8 ++++----
 build/debian/get-orig-source.sh | 8 ++++++--
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/build/debian/control b/build/debian/control
index f573f64b812..f4f9e12aa58 100755
--- a/build/debian/control
+++ b/build/debian/control
@@ -39,10 +39,10 @@ Description: Web based software to manage a company or foundation
  It's a web software you can install as a standalone program or on any web
  hosting provider to use it from anywhere with any web browser.
  .
- Dolibarr was designed to be easy to use. Only the features that you need are 
- visible, depending on which modules were activated.
+ Dolibarr was designed to be easy to use. Only the features that you need
+ are visible, depending on which modules were activated.
  .
- Most common used modules are:
+ This is an example of most common used modules:
  .
  Customers, Suppliers or Prospects directory,
  Contacts directory,
@@ -66,6 +66,6 @@ Description: Web based software to manage a company or foundation
  Wizards to export and import data,
  LDAP connectivity,
  PDF exports,
- And a lot of more modules...
+ And a lot more modules...
  .
  You can also add third parties external modules or develop yours.
diff --git a/build/debian/get-orig-source.sh b/build/debian/get-orig-source.sh
index 57f87ab1999..418bbbc2199 100755
--- a/build/debian/get-orig-source.sh
+++ b/build/debian/get-orig-source.sh
@@ -8,16 +8,20 @@ echo "tmpdir = $tmpdir"
 if [ -n "$1" ]; then
     uscan_opts="--download-version=$1"
 fi
-uscan --noconf --force-download --no-symlink --verbose --destdir=$tmpdir $uscan_opts
+#uscan --noconf --force-download --no-symlink --verbose --destdir=$tmpdir $uscan_opts
 
 cd $tmpdir
 
+# Other method to download (comment uscan if you use this)
+wget http://www.dolibarr.org/files/stable/standard/dolibarr-3.5.4.tgz
+
+# Rename file to add +dfsg
 tgzfile=$(echo *.tgz)
 version=$(echo "$tgzfile" | perl -pi -e 's/^dolibarr-//; s/\.tgz$//; s/_/./g; s/\+nmu1//; ')
 
 cd - >/dev/null
 
 mv $tmpdir/dolibarr-${version}.tgz ../
-echo "File ../dolibarr-${version}.tgz is ready for git-import"
+echo "File ../dolibarr-${version}.tgz is ready for git-import-orig"
 
 rm -rf $tmpdir

From 949ae2f160caf39293fd55918f31ca76c5a11c05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcos=20Garci=CC=81a=20de=20La=20Fuente?=
 <marcosgdf@gmail.com>
Date: Sun, 14 Sep 2014 13:09:31 +0200
Subject: [PATCH 10/18] [ bug #1591 ] Linked object block shows Total HT/TTC
 even if not having permission to read them

---
 ChangeLog                                       |  1 +
 .../comm/propal/tpl/linkedobjectblock.tpl.php   | 17 +++++++++++++----
 htdocs/commande/tpl/linkedobjectblock.tpl.php   | 15 ++++++++++++---
 .../facture/tpl/linkedobjectblock.tpl.php       | 15 ++++++++++++---
 htdocs/expedition/tpl/linkedobjectblock.tpl.php | 15 ++++++++++++---
 .../commande/tpl/linkedobjectblock.tpl.php      | 15 ++++++++++++---
 .../fourn/facture/tpl/linkedobjectblock.tpl.php | 15 ++++++++++++---
 7 files changed, 74 insertions(+), 19 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 04e63ec1c8e..575aa1aa0e3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,7 @@ Fix: [ bug #1544 ] Can remove date from invoice.
 Fix: list event view lost type event filter.
 Fix: Add code save on create event.
 Fix: SQL injection.
+Fix: [ bug #1591 ] Linked object block shows Total HT/TTC even if not having permission to read them
 
 ***** ChangeLog for 3.5.4 compared to 3.5.3 *****
 Fix: Hide title of event when agenda module disabled.
diff --git a/htdocs/comm/propal/tpl/linkedobjectblock.tpl.php b/htdocs/comm/propal/tpl/linkedobjectblock.tpl.php
index 632dee63965..cb920afd5fc 100644
--- a/htdocs/comm/propal/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/comm/propal/tpl/linkedobjectblock.tpl.php
@@ -1,6 +1,7 @@
 <?php
 /* Copyright (C) 2010-2011  Regis Houssin <regis.houssin@capnetworks.com>
- * Copyright (C) 2013		Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2013       Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2014       Marcos García <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -27,6 +28,8 @@
 
 <?php
 
+global $user;
+
 $langs = $GLOBALS['langs'];
 $linkedObjectBlock = $GLOBALS['linkedObjectBlock'];
 
@@ -52,17 +55,23 @@ foreach($linkedObjectBlock as $object)
 	<a href="<?php echo DOL_URL_ROOT.'/comm/propal.php?id='.$object->id ?>"><?php echo img_object($langs->trans("ShowPropal"),"propal").' '.$object->ref; ?></a></td>
 	<td><?php echo $object->ref_client; ?></td>
 	<td align="center"><?php echo dol_print_date($object->date,'day'); ?></td>
-	<td align="right"><?php echo price($object->total_ht); ?></td>
+	<td align="right"><?php
+		if ($user->rights->propale->lire) {
+			$total = $total + $object->total_ht;
+			echo price($object->total_ht);
+		} ?></td>
 	<td align="right"><?php echo $object->getLibStatut(3); ?></td>
 </tr>
 <?php
-$total = $total + $object->total_ht;
 }
 
 ?>
 <tr class="liste_total">
 	<td align="left" colspan="3"><?php echo $langs->trans('TotalHT'); ?></td>
-	<td align="right"><?php echo price($total); ?></td>
+	<td align="right"><?php
+		if ($user->rights->propale->lire) {
+			echo price($total);
+		} ?></td>
 	<td>&nbsp;</td>
 </tr>
 </table>
diff --git a/htdocs/commande/tpl/linkedobjectblock.tpl.php b/htdocs/commande/tpl/linkedobjectblock.tpl.php
index c7d073501a3..d2fe19c5b6f 100644
--- a/htdocs/commande/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/commande/tpl/linkedobjectblock.tpl.php
@@ -1,6 +1,7 @@
 <?php
 /* Copyright (C) 2010-2011	Regis Houssin <regis.houssin@capnetworks.com>
  * Copyright (C) 2013		Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2014       Marcos García <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -22,6 +23,8 @@
 
 <?php
 
+global $user;
+
 $langs = $GLOBALS['langs'];
 $linkedObjectBlock = $GLOBALS['linkedObjectBlock'];
 
@@ -47,17 +50,23 @@ foreach($linkedObjectBlock as $object)
 <tr <?php echo $GLOBALS['bc'][$var]; ?> ><td>
 	<a href="<?php echo DOL_URL_ROOT.'/commande/fiche.php?id='.$object->id ?>"><?php echo img_object($langs->trans("ShowOrder"),"order").' '.$object->ref; ?></a></td>
 	<td align="center"><?php echo dol_print_date($object->date,'day'); ?></td>
-	<td align="right"><?php echo price($object->total_ht); ?></td>
+	<td align="right"><?php
+		if ($user->rights->commande->lire) {
+			$total = $total + $object->total_ht;
+			echo price($object->total_ht);
+		} ?></td>
 	<td align="right"><?php echo $object->getLibStatut(3); ?></td>
 </tr>
 <?php
-$total = $total + $object->total_ht;
 }
 
 ?>
 <tr class="liste_total">
 	<td align="left" colspan="2"><?php echo $langs->trans('TotalHT'); ?></td>
-	<td align="right"><?php echo price($total); ?></td>
+	<td align="right"><?php
+		if ($user->rights->commande->lire) {
+			echo price($total);
+		} ?></td>
 	<td>&nbsp;</td>
 </tr>
 </table>
diff --git a/htdocs/compta/facture/tpl/linkedobjectblock.tpl.php b/htdocs/compta/facture/tpl/linkedobjectblock.tpl.php
index f0fca0b90ff..ae3038a6021 100644
--- a/htdocs/compta/facture/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/compta/facture/tpl/linkedobjectblock.tpl.php
@@ -1,6 +1,7 @@
 <?php
 /* Copyright (C) 2010-2011	Regis Houssin <regis.houssin@capnetworks.com>
  * Copyright (C) 2013		Juanjo Menent <jmenent@2byte.es>
+ * Copyright (C) 2014       Marcos García <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -22,6 +23,8 @@
 
 <?php
 
+global $user;
+
 $langs = $GLOBALS['langs'];
 $linkedObjectBlock = $GLOBALS['linkedObjectBlock'];
 
@@ -47,16 +50,22 @@ foreach($linkedObjectBlock as $object)
 <tr <?php echo $GLOBALS['bc'][$var]; ?> ><td>
 	<a href="<?php echo DOL_URL_ROOT.'/compta/facture.php?facid='.$object->id ?>"><?php echo img_object($langs->trans("ShowBill"),"bill").' '.$object->ref; ?></a></td>
 	<td align="center"><?php echo dol_print_date($object->date,'day'); ?></td>
-	<td align="right"><?php echo price($object->total_ht); ?></td>
+	<td align="right"><?php
+		if ($user->rights->facture->lire) {
+			$total = $total + $object->total_ht;
+			echo price($object->total_ht);
+		} ?></td>
 	<td align="right"><?php echo $object->getLibStatut(3); ?></td>
 </tr>
 <?php
-$total = $total + $object->total_ht;
 }
 ?>
 <tr class="liste_total">
 	<td align="left" colspan="2"><?php echo $langs->trans("TotalHT"); ?></td>
-	<td align="right"><?php echo price($total); ?></td>
+	<td align="right"><?php
+		if ($user->rights->facture->lire) {
+			echo price($total);
+		} ?></td>
 	<td>&nbsp;</td>
 </tr>
 </table>
diff --git a/htdocs/expedition/tpl/linkedobjectblock.tpl.php b/htdocs/expedition/tpl/linkedobjectblock.tpl.php
index fd723650561..364afb92177 100644
--- a/htdocs/expedition/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/expedition/tpl/linkedobjectblock.tpl.php
@@ -1,5 +1,6 @@
 <?php
 /* Copyright (C) 2012 Regis Houssin <regis.houssin@capnetworks.com>
+ * Copyright (C) 2014 Marcos García <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -21,6 +22,8 @@
 
 <?php
 
+global $user;
+
 $langs = $GLOBALS['langs'];
 $linkedObjectBlock = $GLOBALS['linkedObjectBlock'];
 
@@ -47,17 +50,23 @@ foreach($linkedObjectBlock as $object)
 	<a href="<?php echo DOL_URL_ROOT.'/expedition/fiche.php?id='.$object->id ?>"><?php echo img_object($langs->trans("ShowShipping"),"sending").' '.$object->ref; ?></a></td>
 	<td align="center"><?php echo dol_print_date($object->date_creation,'day'); ?></td>
 	<td align="center"><?php echo dol_print_date($object->date_delivery,'day'); ?></td>
-	<td align="right"><?php echo price($object->total_ht); ?></td>
+	<td align="right"><?php
+		if ($user->rights->expedition->lire) {
+			$total = $total + $object->total_ht;
+			echo price($object->total_ht);
+		} ?></td>
 	<td align="right"><?php echo $object->getLibStatut(3); ?></td>
 </tr>
 <?php
-$total = $total + $object->total_ht;
 }
 
 ?>
 <tr class="liste_total">
 	<td align="left" colspan="3"><?php echo $langs->trans('TotalHT'); ?></td>
-	<td align="right"><?php echo price($total); ?></td>
+	<td align="right"><?php
+		if ($user->rights->expedition->lire) {
+			echo price($total);
+		} ?></td>
 	<td>&nbsp;</td>
 </tr>
 </table>
diff --git a/htdocs/fourn/commande/tpl/linkedobjectblock.tpl.php b/htdocs/fourn/commande/tpl/linkedobjectblock.tpl.php
index d1e209eb54b..fc1942e0f61 100644
--- a/htdocs/fourn/commande/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/fourn/commande/tpl/linkedobjectblock.tpl.php
@@ -1,5 +1,6 @@
 <?php
 /* Copyright (C) 2010-2011 Regis Houssin <regis.houssin@capnetworks.com>
+ * Copyright (C) 2014      Marcos García <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -21,6 +22,8 @@
 
 <?php
 
+global $user;
+
 $langs = $GLOBALS['langs'];
 $linkedObjectBlock = $GLOBALS['linkedObjectBlock'];
 
@@ -44,17 +47,23 @@ foreach($linkedObjectBlock as $object)
 <tr <?php echo $bc[$var]; ?> ><td>
 	<a href="<?php echo DOL_URL_ROOT.'/fourn/commande/fiche.php?id='.$object->id ?>"><?php echo img_object($langs->trans("ShowOrder"),"order").' '.$object->ref; ?></a></td>
 	<td align="center"><?php echo dol_print_date($object->date,'day'); ?></td>
-	<td align="right"><?php echo price($object->total_ht); ?></td>
+	<td align="right"><?php
+		if ($user->rights->fournisseur->commande->lire) {
+			$total = $total + $object->total_ht;
+			echo price($object->total_ht);
+		} ?></td>
 	<td align="right"><?php echo $object->getLibStatut(3); ?></td>
 </tr>
 <?php
-$total = $total + $object->total_ht;
 }
 
 ?>
 <tr class="liste_total">
 	<td align="left" colspan="2"><?php echo $langs->trans('TotalHT'); ?></td>
-	<td align="right"><?php echo price($total); ?></td>
+	<td align="right"><?php
+		if ($user->rights->fournisseur->commande->lire) {
+			echo price($total);
+		} ?></td>
 	<td>&nbsp;</td>
 </tr>
 </table>
diff --git a/htdocs/fourn/facture/tpl/linkedobjectblock.tpl.php b/htdocs/fourn/facture/tpl/linkedobjectblock.tpl.php
index ab585cc4b1f..c10fea8bb8a 100644
--- a/htdocs/fourn/facture/tpl/linkedobjectblock.tpl.php
+++ b/htdocs/fourn/facture/tpl/linkedobjectblock.tpl.php
@@ -1,5 +1,6 @@
 <?php
 /* Copyright (C) 2010-2011 Regis Houssin <regis.houssin@capnetworks.com>
+ * Copyright (C) 2014      Marcos García <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -21,6 +22,8 @@
 
 <?php
 
+global $user;
+
 $langs = $GLOBALS['langs'];
 $linkedObjectBlock = $GLOBALS['linkedObjectBlock'];
 
@@ -45,16 +48,22 @@ foreach($linkedObjectBlock as $object)
 <tr <?php echo $bc[$var]; ?> ><td>
 	<a href="<?php echo DOL_URL_ROOT.'/fourn/facture/fiche.php?facid='.$object->id ?>"><?php echo img_object($langs->trans("ShowBill"),"bill").' '.$object->ref; ?></a></td>
 	<td align="center"><?php echo dol_print_date($object->date,'day'); ?></td>
-	<td align="right"><?php echo price($object->total_ht); ?></td>
+	<td align="right"><?php
+		if ($user->rights->fournisseur->facture->lire) {
+			$total = $total + $object->total_ht;
+			echo price($object->total_ht);
+		} ?></td>
 	<td align="right"><?php echo $object->getLibStatut(3); ?></td>
 </tr>
 <?php
-$total = $total + $object->total_ht;
 }
 ?>
 <tr class="liste_total">
 	<td align="left" colspan="2"><?php echo $langs->trans("TotalHT"); ?></td>
-	<td align="right"><?php echo price($total); ?></td>
+	<td align="right"><?php
+		if ($user->rights->fournisseur->facture->lire) {
+			echo price($total);
+		} ?></td>
 	<td>&nbsp;</td>
 </tr>
 </table>

From 74e16db6321a27b4d064af12bb8ef8d2860c8cf3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcos=20Garci=CC=81a=20de=20La=20Fuente?=
 <marcosgdf@gmail.com>
Date: Sun, 14 Sep 2014 13:14:03 +0200
Subject: [PATCH 11/18] [ bug #1589 ] Menu type in "Edit menu" page is not
 translated

---
 ChangeLog                   | 1 +
 htdocs/admin/menus/edit.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 04e63ec1c8e..46efcc8492d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,7 @@ Fix: [ bug #1544 ] Can remove date from invoice.
 Fix: list event view lost type event filter.
 Fix: Add code save on create event.
 Fix: SQL injection.
+Fix: [ bug #1589 ] Menu type in "Edit menu" page is not translated
 
 ***** ChangeLog for 3.5.4 compared to 3.5.3 *****
 Fix: Hide title of event when agenda module disabled.
diff --git a/htdocs/admin/menus/edit.php b/htdocs/admin/menus/edit.php
index bf382be58ed..5c7d336c4a0 100644
--- a/htdocs/admin/menus/edit.php
+++ b/htdocs/admin/menus/edit.php
@@ -317,7 +317,7 @@ if ($action == 'create')
     print '<tr><td class="fieldrequired">'.$langs->trans('Type').'</td><td>';
     if ($parent_rowid)
     {
-        print 'Left';
+        print $langs->trans('Left');
         print '<input type="hidden" name="type" value="left">';
     }
     else

From afd631e6e3aa2d36b5af62fc30b0ac6e9d5a9321 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcos=20Garci=CC=81a=20de=20La=20Fuente?=
 <marcosgdf@gmail.com>
Date: Sun, 14 Sep 2014 13:22:05 +0200
Subject: [PATCH 12/18] [ bug #1577 ] When creating new Private individual
 third, selected third type is ignored

---
 ChangeLog              | 1 +
 htdocs/societe/soc.php | 9 +--------
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 04e63ec1c8e..878a1dcfa4f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,7 @@ Fix: [ bug #1544 ] Can remove date from invoice.
 Fix: list event view lost type event filter.
 Fix: Add code save on create event.
 Fix: SQL injection.
+Fix: [ bug #1577 ] When creating new Private individual third, selected third type is ignored
 
 ***** ChangeLog for 3.5.4 compared to 3.5.3 *****
 Fix: Hide title of event when agenda module disabled.
diff --git a/htdocs/societe/soc.php b/htdocs/societe/soc.php
index 0e2e58f73e8..b24179328fc 100644
--- a/htdocs/societe/soc.php
+++ b/htdocs/societe/soc.php
@@ -159,14 +159,7 @@ if (empty($reshook))
 
         $object->forme_juridique_code  = GETPOST('forme_juridique_code');
         $object->effectif_id           = GETPOST('effectif_id');
-        if (GETPOST("private") == 1)
-        {
-            $object->typent_id         = dol_getIdFromCode($db,'TE_PRIVATE','c_typent');
-        }
-        else
-        {
-            $object->typent_id         = GETPOST('typent_id');
-        }
+        $object->typent_id         = GETPOST('typent_id');
 
         $object->client                = GETPOST('client');
         $object->fournisseur           = GETPOST('fournisseur');

From 7a28f8e4aaf009ae5354565140abdc8d471d2dc4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcos=20Garci=CC=81a=20de=20La=20Fuente?=
 <marcosgdf@gmail.com>
Date: Sun, 14 Sep 2014 13:59:06 +0200
Subject: [PATCH 13/18] [ bug #1555 ] Update accountancy code of products does
 not throw PRODUCT_MODIFY trigger

---
 ChangeLog                                |  1 +
 htdocs/core/class/commonobject.class.php |  1 -
 htdocs/product/class/product.class.php   | 55 +++++++++++++++++++++++-
 htdocs/product/fiche.php                 | 16 +++----
 4 files changed, 62 insertions(+), 11 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 04e63ec1c8e..b277355b9d7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,7 @@ Fix: [ bug #1544 ] Can remove date from invoice.
 Fix: list event view lost type event filter.
 Fix: Add code save on create event.
 Fix: SQL injection.
+Fix: [ bug #1555 ] Update accountancy code of products does not throw PRODUCT_MODIFY trigger
 
 ***** ChangeLog for 3.5.4 compared to 3.5.3 *****
 Fix: Hide title of event when agenda module disabled.
diff --git a/htdocs/core/class/commonobject.class.php b/htdocs/core/class/commonobject.class.php
index dc2fe2888ad..6439e3e003e 100644
--- a/htdocs/core/class/commonobject.class.php
+++ b/htdocs/core/class/commonobject.class.php
@@ -1053,7 +1053,6 @@ abstract class CommonObject
         }
     }
 
-
     /**
      *  Save a new position (field rang) for details lines.
      *  You can choose to set position for lines with already a position or lines without any position defined.
diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php
index 52ad1a7f323..d7bdec82079 100644
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@@ -6,7 +6,7 @@
  * Copyright (C) 2007-2011 Jean Heimburger      <jean@tiaris.info>
  * Copyright (C) 2010-2011 Juanjo Menent        <jmenent@2byte.es>
  * Copyright (C) 2013	   Cedric GROSS	        <c.gross@kreiz-it.fr>
- * Copyright (C) 2013      Marcos García        <marcosgdf@gmail.com>
+ * Copyright (C) 2013-2014 Marcos García        <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -796,6 +796,59 @@ class Product extends CommonObject
 		return 1;
 	}
 
+	/**
+	 * Sets an accountancy code for a product.
+	 * Also calls PRODUCT_MODIFY trigger when modified
+	 *
+	 * @param string $type It can be 'buy' or 'sell'
+	 * @param string $value Accountancy code
+	 * @return int <0 KO >0 OK
+	 */
+	public function setAccountancyCode($type, $value)
+	{
+		$this->db->begin();
+
+		if ($type == 'buy') {
+			$field = 'accountancy_code_buy';
+		} elseif ($type == 'sell') {
+			$field = 'accountancy_code_sell';
+		} else {
+			return -1;
+		}
+
+		$sql = "UPDATE ".MAIN_DB_PREFIX.$this->table_element." SET ";
+		$sql.= "$field = '".$this->db->escape($value)."'";
+		$sql.= " WHERE rowid = ".$this->id;
+
+		dol_syslog(get_class($this)."::".__FUNCTION__." sql=".$sql, LOG_DEBUG);
+		$resql = $this->db->query($sql);
+
+		if ($resql) {
+			global $user, $langs, $conf;
+
+			// Call triggers
+			include_once DOL_DOCUMENT_ROOT . '/core/class/interfaces.class.php';
+			$interface=new Interfaces($this->db);
+			$result=$interface->run_triggers('PRODUCT_MODIFY',$this,$user,$langs,$conf);
+			if ($result < 0) {
+				$this->errors=$interface->errors;
+				$this->db->rollback();
+				return -1;
+			}
+			// End call triggers
+
+			$this->$field = $value;
+
+			$this->db->commit();
+			return 1;
+		}
+		else
+		{
+			$this->error=$this->db->lasterror();
+			$this->db->rollback();
+			return -1;
+		}
+	}
 
 	/**
 	 *	Load array this->multilangs
diff --git a/htdocs/product/fiche.php b/htdocs/product/fiche.php
index d96aac8fc33..3c3d7ad8206 100644
--- a/htdocs/product/fiche.php
+++ b/htdocs/product/fiche.php
@@ -6,7 +6,7 @@
  * Copyright (C) 2006      Andre Cianfarani     <acianfa@free.fr>
  * Copyright (C) 2006      Auguria SARL         <info@auguria.org>
  * Copyright (C) 2010-2011 Juanjo Menent        <jmenent@2byte.es>
- * Copyright (C) 2013      Marcos García        <marcosgdf@gmail.com>
+ * Copyright (C) 2013-2014 Marcos García        <marcosgdf@gmail.com>
  * Copyright (C) 2013      Cédric Salvador      <csalvador@gpcsolutions.fr>
  *
  * This program is free software; you can redistribute it and/or modify
@@ -122,20 +122,18 @@ if (empty($reshook))
     	exit;
     }
 
-    if ($action == 'setaccountancy_code_buy')
-    {
-        $result = $object->setValueFrom('accountancy_code_buy', GETPOST('accountancy_code_buy'));
+    if ($action == 'setaccountancy_code_buy') {
+
+	    $result = $object->setAccountancyCode('buy', GETPOST('accountancy_code_buy'));
         if ($result < 0) setEventMessage(join(',',$object->errors), 'errors');
-        else $object->accountancy_code_buy=GETPOST('accountancy_code_buy');
         $action="";
     }
 
     if ($action == 'setaccountancy_code_sell')
     {
-        $result = $object->setValueFrom('accountancy_code_sell', GETPOST('accountancy_code_sell'));
-        if ($result < 0) setEventMessage(join(',',$object->errors), 'errors');
-        else $object->accountancy_code_sell=GETPOST('accountancy_code_sell');
-        $action="";
+	    $result = $object->setAccountancyCode('sell', GETPOST('accountancy_code_sell'));
+	    if ($result < 0) setEventMessage(join(',',$object->errors), 'errors');
+	    $action="";
     }
 
     // Add a product or service

From 9426298b95db766c055bfb39f5e10ebb9990eac9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcos=20Garci=CC=81a=20de=20La=20Fuente?=
 <marcosgdf@gmail.com>
Date: Sun, 14 Sep 2014 14:19:46 +0200
Subject: [PATCH 14/18] [ bug #1548 ] Supplier payment card shows type in
 French

---
 ChangeLog                                  |  1 +
 htdocs/fourn/class/paiementfourn.class.php | 16 +++++++++++++++-
 htdocs/fourn/paiement/fiche.php            |  4 +++-
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 04e63ec1c8e..eee6f8a3136 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,7 @@ Fix: [ bug #1544 ] Can remove date from invoice.
 Fix: list event view lost type event filter.
 Fix: Add code save on create event.
 Fix: SQL injection.
+Fix: [ bug #1548 ] Supplier payment card shows type in French
 
 ***** ChangeLog for 3.5.4 compared to 3.5.3 *****
 Fix: Hide title of event when agenda module disabled.
diff --git a/htdocs/fourn/class/paiementfourn.class.php b/htdocs/fourn/class/paiementfourn.class.php
index 380a16bd129..b8e9266cb37 100644
--- a/htdocs/fourn/class/paiementfourn.class.php
+++ b/htdocs/fourn/class/paiementfourn.class.php
@@ -4,6 +4,7 @@
  * Copyright (C) 2005      Marc Barilley / Ocebo  <marc@ocebo.com>
  * Copyright (C) 2005-2009 Regis Houssin          <regis.houssin@capnetworks.com>
  * Copyright (C) 2010-2011 Juanjo Menent          <jmenent@2byte.es>
+ * Copyright (C) 2014      Marcos García          <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -55,6 +56,18 @@ class PaiementFourn extends Paiement
 	// fk_paiement dans llx_paiement est l'id du type de paiement (7 pour CHQ, ...)
 	// fk_paiement dans llx_paiement_facture est le rowid du paiement
 
+	/**
+	 * Label of payment type
+	 * @var string
+	 */
+	public $type_libelle;
+
+	/**
+	 * Code of Payment type
+	 * @var string
+	 */
+	public $type_code;
+
 	/**
 	 *	Constructor
 	 *
@@ -74,7 +87,7 @@ class PaiementFourn extends Paiement
 	function fetch($id)
 	{
 		$sql = 'SELECT p.rowid, p.datep as dp, p.amount, p.statut, p.fk_bank,';
-		$sql.= ' c.libelle as paiement_type,';
+		$sql.= ' c.code as paiement_code, c.libelle as paiement_type,';
 		$sql.= ' p.num_paiement, p.note, b.fk_account';
 		$sql.= ' FROM '.MAIN_DB_PREFIX.'c_paiement as c, '.MAIN_DB_PREFIX.'paiementfourn as p';
 		$sql.= ' LEFT JOIN '.MAIN_DB_PREFIX.'bank as b ON p.fk_bank = b.rowid ';
@@ -95,6 +108,7 @@ class PaiementFourn extends Paiement
 				$this->bank_line      = $obj->fk_bank;
 				$this->montant        = $obj->amount;
 				$this->note           = $obj->note;
+				$this->type_code      = $obj->paiement_code;
 				$this->type_libelle   = $obj->paiement_type;
 				$this->statut         = $obj->statut;
 				$error = 1;
diff --git a/htdocs/fourn/paiement/fiche.php b/htdocs/fourn/paiement/fiche.php
index 0cbceb917a0..97f8b331e65 100644
--- a/htdocs/fourn/paiement/fiche.php
+++ b/htdocs/fourn/paiement/fiche.php
@@ -2,6 +2,7 @@
 /* Copyright (C) 2005      Rodolphe Quiedeville  <rodolphe@quiedeville.org>
  * Copyright (C) 2005      Marc Barilley / Ocebo <marc@ocebo.com>
  * Copyright (C) 2006-2010 Laurent Destailleur   <eldy@users.sourceforge.net>
+ * Copyright (C) 2014      Marcos García         <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -187,7 +188,8 @@ if ($result > 0)
     print '</td></tr>';
 
 	// Payment mode
-	print '<tr><td valign="top" colspan="2">'.$langs->trans('PaymentMode').'</td><td colspan="3">'.$object->type_libelle.'</td></tr>';
+	$labeltype=$langs->trans("PaymentType".$object->type_code)!=("PaymentType".$object->type_code)?$langs->trans("PaymentType".$object->type_code):$object->type_libelle;
+	print '<tr><td valign="top" colspan="2">'.$langs->trans('PaymentMode').'</td><td colspan="3">'.$labeltype.'</td></tr>';
 
 	// Payment numero
     print '<tr><td valign="top" colspan="2">'.$form->editfieldkey("Numero",'num_paiement',$object->numero,$object,$object->statut == 0 && $user->rights->fournisseur->facture->creer).'</td><td colspan="3">';

From 7bac9444e6ef77517905b231a2f81c13efd3d05d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcos=20Garci=CC=81a=20de=20La=20Fuente?=
 <marcosgdf@gmail.com>
Date: Sun, 14 Sep 2014 14:32:17 +0200
Subject: [PATCH 15/18] [ bug #1546 ] Incorrect page number when searching in
 the list of bank transactions

---
 ChangeLog                      |  1 +
 htdocs/compta/bank/account.php | 25 +++++++++++++++----------
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 04e63ec1c8e..0f20be69f31 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,7 @@ Fix: [ bug #1544 ] Can remove date from invoice.
 Fix: list event view lost type event filter.
 Fix: Add code save on create event.
 Fix: SQL injection.
+Fix: [ bug #1546 ] Incorrect page number when searching in the list of bank transactions
 
 ***** ChangeLog for 3.5.4 compared to 3.5.3 *****
 Fix: Hide title of event when agenda module disabled.
diff --git a/htdocs/compta/bank/account.php b/htdocs/compta/bank/account.php
index 2cdda511bdb..e1d595aefcc 100644
--- a/htdocs/compta/bank/account.php
+++ b/htdocs/compta/bank/account.php
@@ -5,7 +5,7 @@
  * Copyright (C) 2004      Christophe Combelles <ccomb@free.fr>
  * Copyright (C) 2005-2012 Regis Houssin        <regis.houssin@capnetworks.com>
  * Copyright (C) 2010-2011 Juanjo Menent        <jmenent@@2byte.es>
- * Copyright (C) 2012      Marcos García         <marcosgdf@gmail.com>
+ * Copyright (C) 2012-2014 Marcos García         <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -253,17 +253,22 @@ if ($id > 0 || ! empty($ref))
 	//Total pages
 	$totalPages = ceil($total_lines/$viewline);
 
-	if ($page > 0)
-	{
-		$limitsql = ($totalPages - $page) * $viewline;
-		if ($limitsql < $viewline) $limitsql = $viewline;
-		$nbline = $limitsql;
-	}
-	else
-	{
+	if ($totalPages == 0) {
 		$page = 0;
-		$limitsql = $nbline;
+	} else {
+
+		if ($page > 0) {
+			$limitsql = ($totalPages - $page) * $viewline;
+			if ($limitsql < $viewline) {
+				$limitsql = $viewline;
+			}
+			$nbline = $limitsql;
+		} else {
+			$page = 0;
+			$limitsql = $nbline;
+		}
 	}
+
 	//print $limitsql.'-'.$page.'-'.$viewline;
 
 	// Onglets

From d812262ed834a0c5813dd7ac3f31cf6d1dcf4e24 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 14 Sep 2014 21:52:52 +0200
Subject: [PATCH 16/18] Fix: Missing source

---
 .../plugins/tablednd/jquery.tablednd.0.6.js   | 400 ++++++++++++++++++
 1 file changed, 400 insertions(+)
 create mode 100644 htdocs/includes/jquery/plugins/tablednd/jquery.tablednd.0.6.js

diff --git a/htdocs/includes/jquery/plugins/tablednd/jquery.tablednd.0.6.js b/htdocs/includes/jquery/plugins/tablednd/jquery.tablednd.0.6.js
new file mode 100644
index 00000000000..34f3c88232b
--- /dev/null
+++ b/htdocs/includes/jquery/plugins/tablednd/jquery.tablednd.0.6.js
@@ -0,0 +1,400 @@
+/**
+ * TableDnD plug-in for JQuery, allows you to drag and drop table rows
+ * You can set up various options to control how the system will work
+ * Copyright (c) Denis Howlett <denish@isocra.com>
+ * Licensed like jQuery, see http://docs.jquery.com/License.
+ *
+ * Configuration options:
+ * 
+ * onDragStyle
+ *     This is the style that is assigned to the row during drag. There are limitations to the styles that can be
+ *     associated with a row (such as you can't assign a border--well you can, but it won't be
+ *     displayed). (So instead consider using onDragClass.) The CSS style to apply is specified as
+ *     a map (as used in the jQuery css(...) function).
+ * onDropStyle
+ *     This is the style that is assigned to the row when it is dropped. As for onDragStyle, there are limitations
+ *     to what you can do. Also this replaces the original style, so again consider using onDragClass which
+ *     is simply added and then removed on drop.
+ * onDragClass
+ *     This class is added for the duration of the drag and then removed when the row is dropped. It is more
+ *     flexible than using onDragStyle since it can be inherited by the row cells and other content. The default
+ *     is class is tDnD_whileDrag. So to use the default, simply customise this CSS class in your
+ *     stylesheet.
+ * onDrop
+ *     Pass a function that will be called when the row is dropped. The function takes 2 parameters: the table
+ *     and the row that was dropped. You can work out the new order of the rows by using
+ *     table.rows.
+ * onDragStart
+ *     Pass a function that will be called when the user starts dragging. The function takes 2 parameters: the
+ *     table and the row which the user has started to drag.
+ * onAllowDrop
+ *     Pass a function that will be called as a row is over another row. If the function returns true, allow 
+ *     dropping on that row, otherwise not. The function takes 2 parameters: the dragged row and the row under
+ *     the cursor. It returns a boolean: true allows the drop, false doesn't allow it.
+ * scrollAmount
+ *     This is the number of pixels to scroll if the user moves the mouse cursor to the top or bottom of the
+ *     window. The page should automatically scroll up or down as appropriate (tested in IE6, IE7, Safari, FF2,
+ *     FF3 beta
+ * dragHandle
+ *     This is the name of a class that you assign to one or more cells in each row that is draggable. If you
+ *     specify this class, then you are responsible for setting cursor: move in the CSS and only these cells
+ *     will have the drag behaviour. If you do not specify a dragHandle, then you get the old behaviour where
+ *     the whole row is draggable.
+ * 
+ * Other ways to control behaviour:
+ *
+ * Add class="nodrop" to any rows for which you don't want to allow dropping, and class="nodrag" to any rows
+ * that you don't want to be draggable.
+ *
+ * Inside the onDrop method you can also call $.tableDnD.serialize() this returns a string of the form
+ * <tableID>[]=<rowID1>&<tableID>[]=<rowID2> so that you can send this back to the server. The table must have
+ * an ID as must all the rows.
+ *
+ * Other methods:
+ *
+ * $("...").tableDnDUpdate() 
+ * Will update all the matching tables, that is it will reapply the mousedown method to the rows (or handle cells).
+ * This is useful if you have updated the table rows using Ajax and you want to make the table draggable again.
+ * The table maintains the original configuration (so you don't have to specify it again).
+ *
+ * $("...").tableDnDSerialize()
+ * Will serialize and return the serialized string as above, but for each of the matching tables--so it can be
+ * called from anywhere and isn't dependent on the currentTable being set up correctly before calling
+ *
+ * Known problems:
+ * - Auto-scoll has some problems with IE7  (it scrolls even when it shouldn't), work-around: set scrollAmount to 0
+ * 
+ * Version 0.2: 2008-02-20 First public version
+ * Version 0.3: 2008-02-07 Added onDragStart option
+ *                         Made the scroll amount configurable (default is 5 as before)
+ * Version 0.4: 2008-03-15 Changed the noDrag/noDrop attributes to nodrag/nodrop classes
+ *                         Added onAllowDrop to control dropping
+ *                         Fixed a bug which meant that you couldn't set the scroll amount in both directions
+ *                         Added serialize method
+ * Version 0.5: 2008-05-16 Changed so that if you specify a dragHandle class it doesn't make the whole row
+ *                         draggable
+ *                         Improved the serialize method to use a default (and settable) regular expression.
+ *                         Added tableDnDupate() and tableDnDSerialize() to be called when you are outside the table
+ * Version 0.6: 2011-12-02 Added support for touch devices
+ */
+// Determine if this is a touch device
+var hasTouch = 'ontouchstart' in document.documentElement,
+	startEvent = hasTouch ? 'touchstart' : 'mousedown',
+	moveEvent = hasTouch ? 'touchmove' : 'mousemove',
+	endEvent = hasTouch ? 'touchend' : 'mouseup';
+
+jQuery.tableDnD = {
+    /** Keep hold of the current table being dragged */
+    currentTable : null,
+    /** Keep hold of the current drag object if any */
+    dragObject: null,
+    /** The current mouse offset */
+    mouseOffset: null,
+    /** Remember the old value of Y so that we don't do too much processing */
+    oldY: 0,
+
+
+    /** Actually build the structure */
+    build: function(options) {
+        // Set up the defaults if any
+
+        this.each(function() {
+            // This is bound to each matching table, set up the defaults and override with user options
+            this.tableDnDConfig = jQuery.extend({
+                onDragStyle: null,
+                onDropStyle: null,
+				// Add in the default class for whileDragging
+				onDragClass: "tDnD_whileDrag",
+                onDrop: null,
+                onDragStart: null,
+                scrollAmount: 5,
+
+                serializeRegexp: /[^\-]*$/, // The regular expression to use to trim row IDs
+				serializeParamName: null, // If you want to specify another parameter name instead of the table ID
+                dragHandle: null // If you give the name of a class here, then only Cells with this class will be draggable
+            }, options || {});
+            // Now make the rows draggable
+            jQuery.tableDnD.makeDraggable(this);
+        });
+
+        // Don't break the chain
+        return this;
+    },
+
+    /** This function makes all the rows on the table draggable apart from those marked as "NoDrag" */
+    makeDraggable: function(table) {
+		
+        var config = table.tableDnDConfig;
+		if (config.dragHandle) {
+			// We only need to add the event to the specified cells
+			var cells = jQuery("td."+table.tableDnDConfig.dragHandle, table);
+			cells.each(function() {
+				// The cell is bound to "this"
+                jQuery(this).bind(startEvent, function(ev) {
+					jQuery.tableDnD.initialiseDrag(this.parentNode, table, this, ev, config);
+                    return false;
+                });
+			})
+		} else {
+			// For backwards compatibility, we add the event to the whole row
+	        var rows = jQuery("tr", table); // get all the rows as a wrapped set
+	        rows.each(function() {
+				// Iterate through each row, the row is bound to "this"
+				var row = jQuery(this);
+				if (! row.hasClass("nodrag")) {
+	                row.bind(startEvent, function(ev) {
+	                    if (ev.target.tagName == "TD") {
+							jQuery.tableDnD.initialiseDrag(this, table, this, ev, config);
+	                        return false;
+	                    }
+	                }).css("cursor", "move"); // Store the tableDnD object
+				}
+			});
+		}
+	},
+	
+	initialiseDrag: function(dragObject, table, target, evnt, config) {
+        jQuery.tableDnD.dragObject = dragObject;
+        jQuery.tableDnD.currentTable = table;
+        jQuery.tableDnD.mouseOffset = jQuery.tableDnD.getMouseOffset(target, evnt);
+        jQuery.tableDnD.originalOrder = jQuery.tableDnD.serialize();
+        // Now we need to capture the mouse up and mouse move event
+        // We can use bind so that we don't interfere with other event handlers
+        jQuery(document)
+            .bind(moveEvent, jQuery.tableDnD.mousemove)
+            .bind(endEvent, jQuery.tableDnD.mouseup);
+        if (config.onDragStart) {
+            // Call the onDragStart method if there is one
+            config.onDragStart(table, target);
+        }
+	},
+
+	updateTables: function() {
+		this.each(function() {
+			// this is now bound to each matching table
+			if (this.tableDnDConfig) {
+				jQuery.tableDnD.makeDraggable(this);
+			}
+		})
+	},
+
+    /** Get the mouse coordinates from the event (allowing for browser differences) */
+    mouseCoords: function(ev){
+        if(ev.pageX || ev.pageY){
+            return {x:ev.pageX, y:ev.pageY};
+        }
+        return {
+            x:ev.clientX + document.body.scrollLeft - document.body.clientLeft,
+            y:ev.clientY + document.body.scrollTop  - document.body.clientTop
+        };
+    },
+
+    /** Given a target element and a mouse event, get the mouse offset from that element.
+        To do this we need the element's position and the mouse position */
+    getMouseOffset: function(target, ev) {
+        ev = ev || window.event;
+
+        var docPos    = this.getPosition(target);
+        var mousePos  = this.mouseCoords(ev);
+        return {x:mousePos.x - docPos.x, y:mousePos.y - docPos.y};
+    },
+
+    /** Get the position of an element by going up the DOM tree and adding up all the offsets */
+    getPosition: function(e){
+        var left = 0;
+        var top  = 0;
+        /** Safari fix -- thanks to Luis Chato for this! */
+        if (e.offsetHeight == 0) {
+            /** Safari 2 doesn't correctly grab the offsetTop of a table row
+            this is detailed here:
+            http://jacob.peargrove.com/blog/2006/technical/table-row-offsettop-bug-in-safari/
+            the solution is likewise noted there, grab the offset of a table cell in the row - the firstChild.
+            note that firefox will return a text node as a first child, so designing a more thorough
+            solution may need to take that into account, for now this seems to work in firefox, safari, ie */
+            e = e.firstChild; // a table cell
+        }
+
+        while (e.offsetParent){
+            left += e.offsetLeft;
+            top  += e.offsetTop;
+            e     = e.offsetParent;
+        }
+
+        left += e.offsetLeft;
+        top  += e.offsetTop;
+
+        return {x:left, y:top};
+    },
+
+    mousemove: function(ev) {
+        if (jQuery.tableDnD.dragObject == null) {
+            return;
+        }
+		if (ev.type == 'touchmove') {
+			// prevent touch device screen scrolling
+			event.preventDefault(); 
+		}
+
+        var dragObj = jQuery(jQuery.tableDnD.dragObject);
+        var config = jQuery.tableDnD.currentTable.tableDnDConfig;
+        var mousePos = jQuery.tableDnD.mouseCoords(ev);
+        var y = mousePos.y - jQuery.tableDnD.mouseOffset.y;
+        //auto scroll the window
+	    var yOffset = window.pageYOffset;
+	 	if (document.all) {
+	        // Windows version
+	        //yOffset=document.body.scrollTop;
+	        if (typeof document.compatMode != 'undefined' &&
+	             document.compatMode != 'BackCompat') {
+	           yOffset = document.documentElement.scrollTop;
+	        }
+	        else if (typeof document.body != 'undefined') {
+	           yOffset=document.body.scrollTop;
+	        }
+
+	    }
+		    
+		if (mousePos.y-yOffset < config.scrollAmount) {
+	    	window.scrollBy(0, -config.scrollAmount);
+	    } else {
+            var windowHeight = window.innerHeight ? window.innerHeight
+                    : document.documentElement.clientHeight ? document.documentElement.clientHeight : document.body.clientHeight;
+            if (windowHeight-(mousePos.y-yOffset) < config.scrollAmount) {
+                window.scrollBy(0, config.scrollAmount);
+            }
+        }
+
+
+        if (y != jQuery.tableDnD.oldY) {
+            // work out if we're going up or down...
+            var movingDown = y > jQuery.tableDnD.oldY;
+            // update the old value
+            jQuery.tableDnD.oldY = y;
+            // update the style to show we're dragging
+			if (config.onDragClass) {
+				dragObj.addClass(config.onDragClass);
+			} else {
+	            dragObj.css(config.onDragStyle);
+			}
+            // If we're over a row then move the dragged row to there so that the user sees the
+            // effect dynamically
+            var currentRow = jQuery.tableDnD.findDropTargetRow(dragObj, y);
+            if (currentRow) {
+                // TODO worry about what happens when there are multiple TBODIES
+                if (movingDown && jQuery.tableDnD.dragObject != currentRow) {
+                    jQuery.tableDnD.dragObject.parentNode.insertBefore(jQuery.tableDnD.dragObject, currentRow.nextSibling);
+                } else if (! movingDown && jQuery.tableDnD.dragObject != currentRow) {
+                    jQuery.tableDnD.dragObject.parentNode.insertBefore(jQuery.tableDnD.dragObject, currentRow);
+                }
+            }
+        }
+
+        return false;
+    },
+
+    /** We're only worried about the y position really, because we can only move rows up and down */
+    findDropTargetRow: function(draggedRow, y) {
+        var rows = jQuery.tableDnD.currentTable.rows;
+        for (var i=0; i<rows.length; i++) {
+            var row = rows[i];
+            var rowY    = this.getPosition(row).y;
+            var rowHeight = parseInt(row.offsetHeight)/2;
+            if (row.offsetHeight == 0) {
+                rowY = this.getPosition(row.firstChild).y;
+                rowHeight = parseInt(row.firstChild.offsetHeight)/2;
+            }
+            // Because we always have to insert before, we need to offset the height a bit
+            if ((y > rowY - rowHeight) && (y < (rowY + rowHeight))) {
+                // that's the row we're over
+				// If it's the same as the current row, ignore it
+				if (row == draggedRow) {return null;}
+                var config = jQuery.tableDnD.currentTable.tableDnDConfig;
+                if (config.onAllowDrop) {
+                    if (config.onAllowDrop(draggedRow, row)) {
+                        return row;
+                    } else {
+                        return null;
+                    }
+                } else {
+					// If a row has nodrop class, then don't allow dropping (inspired by John Tarr and Famic)
+                    var nodrop = jQuery(row).hasClass("nodrop");
+                    if (! nodrop) {
+                        return row;
+                    } else {
+                        return null;
+                    }
+                }
+                return row;
+            }
+        }
+        return null;
+    },
+
+    mouseup: function(e) {
+        if (jQuery.tableDnD.currentTable && jQuery.tableDnD.dragObject) {
+	        // Unbind the event handlers
+	        jQuery(document)
+	            .unbind(moveEvent, jQuery.tableDnD.mousemove)
+	            .unbind(endEvent, jQuery.tableDnD.mouseup);
+            var droppedRow = jQuery.tableDnD.dragObject;
+            var config = jQuery.tableDnD.currentTable.tableDnDConfig;
+            // If we have a dragObject, then we need to release it,
+            // The row will already have been moved to the right place so we just reset stuff
+			if (config.onDragClass) {
+	            jQuery(droppedRow).removeClass(config.onDragClass);
+			} else {
+	            jQuery(droppedRow).css(config.onDropStyle);
+			}
+            jQuery.tableDnD.dragObject   = null;
+            var newOrder = jQuery.tableDnD.serialize();
+            if (config.onDrop && (jQuery.tableDnD.originalOrder != newOrder)) {
+                // Call the onDrop method if there is one
+                config.onDrop(jQuery.tableDnD.currentTable, droppedRow);
+            }
+            jQuery.tableDnD.currentTable = null; // let go of the table too
+        }
+    },
+
+    serialize: function() {
+        if (jQuery.tableDnD.currentTable) {
+            return jQuery.tableDnD.serializeTable(jQuery.tableDnD.currentTable);
+        } else {
+            return "Error: No Table id set, you need to set an id on your table and every row";
+        }
+    },
+
+	serializeTable: function(table) {
+        var result = "";
+        var tableId = table.id;
+        var rows = table.rows;
+        for (var i=0; i<rows.length; i++) {
+            if (result.length > 0) result += "&";
+            var rowId = rows[i].id;
+            if (rowId && rowId && table.tableDnDConfig && table.tableDnDConfig.serializeRegexp) {
+                rowId = rowId.match(table.tableDnDConfig.serializeRegexp)[0];
+            }
+
+            result += tableId + '[]=' + rowId;
+        }
+        return result;
+	},
+
+	serializeTables: function() {
+        var result = "";
+        this.each(function() {
+			// this is now bound to each matching table
+			result += jQuery.tableDnD.serializeTable(this);
+		});
+        return result;
+    }
+
+};
+
+
+jQuery.fn.extend(
+	{
+		tableDnD : jQuery.tableDnD.build,
+		tableDnDUpdate : jQuery.tableDnD.updateTables,
+		tableDnDSerialize: jQuery.tableDnD.serializeTables
+	}
+);
\ No newline at end of file

From 76ba3301c3041cca2c3cb1cbcdf8341b30aebb22 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Sun, 14 Sep 2014 22:34:17 +0200
Subject: [PATCH 17/18] Fix: Syntax for license key

---
 build/debian/copyright | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build/debian/copyright b/build/debian/copyright
index d75283b535a..73109152034 100644
--- a/build/debian/copyright
+++ b/build/debian/copyright
@@ -61,7 +61,7 @@ License: GPL-3+
 Files: htdocs/includes/adodbtime/*
 Copyright: 2003-2005, John Lim
            unknown, jackbbs
-License: BSD
+License: BSD-3-Clause
  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
  are met:
@@ -272,7 +272,7 @@ Comment:
 
 Files: htdocs/includes/jquery/plugins/flot/*
 Copyright: Flot team
-License: Public Domain
+License: Public-Domain
  This work is not subject to copyright in any jurisdiction
 Comment:
  Those files are not shipped in the binary package because we configure

From 9493e252c9ff75b06467a881fe23a5cc25093af7 Mon Sep 17 00:00:00 2001
From: Florian HENRY <florian.henry@open-concept.pro>
Date: Mon, 15 Sep 2014 09:55:09 +0200
Subject: [PATCH 18/18] add refext into fecth product

---
 htdocs/product/class/product.class.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/htdocs/product/class/product.class.php b/htdocs/product/class/product.class.php
index d7bdec82079..e6695b75bc6 100644
--- a/htdocs/product/class/product.class.php
+++ b/htdocs/product/class/product.class.php
@@ -1206,6 +1206,7 @@ class Product extends CommonObject
 		$sql.= " weight, weight_units, length, length_units, surface, surface_units, volume, volume_units, barcode, fk_barcode_type, finished,";
 		$sql.= " accountancy_code_buy, accountancy_code_sell, stock, pmp,";
 		$sql.= " datec, tms, import_key, entity, desiredstock";
+		$sql.= " ,ref_ext";
 		$sql.= " FROM ".MAIN_DB_PREFIX."product";
 		if ($id) $sql.= " WHERE rowid = ".$this->db->escape($id);
 		else
@@ -1277,6 +1278,7 @@ class Product extends CommonObject
 				$this->date_modification		= $obj->tms;
 				$this->import_key				= $obj->import_key;
 				$this->entity					= $obj->entity;
+				$this->ref_ext					= $obj->ref_ext;
 
 				$this->db->free($resql);