diff --git a/htdocs/admin/boxes.php b/htdocs/admin/boxes.php
index 4f6dfff33a5..2dbcfe00015 100644
--- a/htdocs/admin/boxes.php
+++ b/htdocs/admin/boxes.php
@@ -175,10 +175,10 @@ if ($action == 'switch')
 	$db->begin();
 
 	$objfrom = new ModeleBoxes($db);
-	$objfrom->fetch($_GET["switchfrom"]);
+	$objfrom->fetch(GETPOST("switchfrom", 'int'));
 
 	$objto = new ModeleBoxes($db);
-	$objto->fetch($_GET["switchto"]);
+	$objto->fetch(GETPOST('switchto', 'int'));
 
 	$resultupdatefrom = 0;
 	$resultupdateto = 0;
@@ -192,12 +192,12 @@ if ($action == 'switch')
 			 $newsecondnum = preg_replace('/[a-zA-Z]+/', '', $newsecond);
 			 $newsecond = sprintf("%s%02d", $newsecondchar ? $newsecondchar : 'A', $newsecondnum + 1);
 		}
-		$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($newfirst)."' WHERE rowid=".$objfrom->rowid;
+		$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($newfirst)."' WHERE rowid=".((int) $objfrom->rowid);
 		dol_syslog($sql);
 		$resultupdatefrom = $db->query($sql);
 		if (!$resultupdatefrom) { dol_print_error($db); }
 
-		$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($newsecond)."' WHERE rowid=".$objto->rowid;
+		$sql = "UPDATE ".MAIN_DB_PREFIX."boxes SET box_order='".$db->escape($newsecond)."' WHERE rowid=".((int) $objto->rowid);
 		dol_syslog($sql);
 		$resultupdateto = $db->query($sql);
 		if (!$resultupdateto) { dol_print_error($db); }
diff --git a/htdocs/core/boxes/modules_boxes.php b/htdocs/core/boxes/modules_boxes.php
index 51719ec6c15..80589e4c4f3 100644
--- a/htdocs/core/boxes/modules_boxes.php
+++ b/htdocs/core/boxes/modules_boxes.php
@@ -143,10 +143,10 @@ class ModeleBoxes // Can't be abtract as it is instantiated to build "empty" box
 		global $conf;
 
 		// Recupere liste des boites d'un user si ce dernier a sa propre liste
-		$sql = "SELECT b.rowid, b.box_id, b.position, b.box_order, b.fk_user";
+		$sql = "SELECT b.rowid as id, b.box_id, b.position, b.box_order, b.fk_user";
 		$sql .= " FROM ".MAIN_DB_PREFIX."boxes as b";
 		$sql .= " WHERE b.entity = ".$conf->entity;
-		$sql .= " AND b.rowid = ".$rowid;
+		$sql .= " AND b.rowid = ".((int) $rowid);
 		dol_syslog(get_class($this)."::fetch rowid=".$rowid);
 
 		$resql = $this->db->query($sql);
@@ -155,7 +155,8 @@ class ModeleBoxes // Can't be abtract as it is instantiated to build "empty" box
 			$obj = $this->db->fetch_object($resql);
 			if ($obj)
 			{
-				$this->rowid = $obj->rowid;
+				$this->id = $obj->id;
+				$this->rowid = $obj->id;	// For backward compatibility
 				$this->box_id = $obj->box_id;
 				$this->position = $obj->position;
 				$this->box_order = $obj->box_order;