Fix: [ bug #1819 ] SQL error when searching for an invoice payment

ChangeLog

@@ -18,6 +18,7 @@ English Dolibarr ChangeLog
 - Fix: [ bug #1717 ] Sorting unpaid invoices by amount received brings due amount
 - Fix: [ bug #1784 ] MOTD doesn't show up in Amarok theme
 - Fix: Tracking number not visible on shipment pdf
+- Fix: [ bug #1819 ] SQL error when searching for an invoice payment
 
 ***** ChangeLog for 3.6.2 compared to 3.6.1 *****
 - Fix: fix ErrorBadValueForParamNotAString error message in price customer multiprice.

htdocs/compta/paiement/liste.php

@@ -3,6 +3,7 @@
  * Copyright (C) 2004-2011 Laurent Destailleur  <eldy@users.sourceforge.net>
  * Copyright (C) 2005-2009 Regis Houssin        <regis.houssin@capnetworks.com>
  * Copyright (C) 2013      Cédric Salvador      <csalvador@gpcsolutions.fr>
+ * Copyright (C) 2015      Marcos García        <marcosgdf@gmail.com>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -53,6 +54,8 @@ $limit = $conf->liste_limit;
 if (! $sortorder) $sortorder="DESC";
 if (! $sortfield) $sortfield="p.rowid";
 
+$search_ref = GETPOST("search_ref",'int');
+$search_account = GETPOST("search_account",'int');
 
 
 
@@ -109,11 +112,13 @@ else
         if ($userid == -1) $sql.= " AND f.fk_user_author IS NULL";
         else  $sql.= " AND f.fk_user_author = ".$userid;
     }
+
+
     // Search criteria
-    if (GETPOST("search_ref"))         		$sql .=" AND p.rowid=".GETPOST("search_ref",'int');
-    if (GETPOST("search_account") > 0)      $sql .=" AND b.fk_account=".GETPOST("search_account",'int');
-    if (GETPOST("search_paymenttype") != "")  $sql .=" AND c.code='".GETPOST("search_paymenttype")."'";
-    if (GETPOST("search_amount"))      		$sql .=" AND p.amount=".price2num(GETPOST("search_amount"));
+    if ($search_ref)         		$sql .=" AND p.rowid=".$search_ref;
+    if ($search_account > 0)      $sql .=" AND b.fk_account=".$search_account;
+    if (GETPOST("search_paymenttype") != "")  $sql .=" AND c.code='".$db->escape(GETPOST("search_paymenttype"))."'";
+    if (GETPOST("search_amount"))      		$sql .=" AND p.amount='".$db->escape(price2num(GETPOST("search_amount")))."'";
     if (GETPOST("search_company"))     		$sql .= natural_search('s.nom', GETPOST('search_company'));
 }
 $sql.= $db->order($sortfield,$sortorder);
@@ -129,7 +134,7 @@ if ($resql)
 
     $paramlist='';
     $paramlist.=(GETPOST("orphelins")?"&orphelins=1":"");
-    $paramlist.=($_REQUEST["search_ref"]?"&search_ref=".$_REQUEST["search_ref"]:"");
+    $paramlist.=($search_ref?"&search_ref=".$search_ref:"");
     $paramlist.=($_REQUEST["search_company"]?"&search_company=".$_REQUEST["search_company"]:"");
     $paramlist.=($_REQUEST["search_amount"]?"&search_amount=".$_REQUEST["search_amount"]:"");
 
@@ -154,7 +159,7 @@ if ($resql)
     // Lines for filters fields
     print '<tr class="liste_titre">';
     print '<td align="left">';
-    print '<input class="fat" type="text" size="4" name="search_ref" value="'.$_REQUEST["search_ref"].'">';
+    print '<input class="fat" type="text" size="4" name="search_ref" value="'.$search_ref.'">';
     print '</td>';
     print '<td>&nbsp;</td>';
     print '<td align="left">';