Fix: 22757

Another way to fix this bug because first fix was using not portable code.

htdocs/fourn/facture/paiement.php

@@ -112,7 +112,7 @@ if ($action == 'add_paiement')
       $paiement->amounts      = $amounts;   // Array of amounts
       $paiement->paiementid   = $_POST['paiementid'];
       $paiement->num_paiement = $_POST['num_paiement'];
-      $paiement->note         = mysql_real_escape_string($_POST['comment']);
+      $paiement->note         = $_POST['comment'];
       
       $paiement_id = $paiement->create($user);
       if ($paiement_id > 0)

htdocs/fourn/facture/paiementfourn.class.php

@@ -122,7 +122,7 @@ class PaiementFourn
 		
 		$error = 0;
 
-		// Nettoyage parametres
+		// Clean parameters
 		$this->total = 0;
 		foreach ($this->amounts as $key => $value)
 		{
@@ -141,7 +141,7 @@ class PaiementFourn
 			$sql = 'INSERT INTO '.MAIN_DB_PREFIX.'paiementfourn (';
 			$sql.= 'datec, datep, amount, fk_paiement, num_paiement, note, fk_user_author, fk_bank)';
 			$sql.= ' VALUES (now(),';
-			$sql.= ' '.$this->db->idate($this->datepaye).', \''.$this->total.'\', '.$this->paiementid.', \''.$this->num_paiement.'\', \''.$this->note.'\', '.$user->id.', 0)';
+			$sql.= " ".$this->db->idate($this->datepaye).", '".$this->total."', ".$this->paiementid.", '".$this->num_paiement."', '".addslashes($this->note)."', ".$user->id.", 0)";
 			
 			dolibarr_syslog("PaiementFourn::create sql=".$sql);
 			$resql = $this->db->query($sql);