Index: wp-admin/setup-config.php
===================================================================
--- wp-admin/setup-config.php	(revision 19932)
+++ wp-admin/setup-config.php	(working copy)
@@ -51,6 +51,7 @@
 
 require_once(ABSPATH . WPINC . '/compat.php');
 require_once(ABSPATH . WPINC . '/class-wp-error.php');
+require_once(ABSPATH . WPINC . '/formatting.php');
 
 if ( ! file_exists( ABSPATH . 'wp-config-sample.php' ) )
 	wp_die( __( 'Sorry, I need a wp-config-sample.php file to work from. Please re-upload this file from your WordPress installation.' ) );
@@ -152,17 +153,22 @@
 	break;
 
 	case 2:
-	$dbname  = trim($_POST['dbname']);
-	$uname   = trim($_POST['uname']);
-	$passwrd = trim($_POST['pwd']);
-	$dbhost  = trim($_POST['dbhost']);
-	$prefix  = trim($_POST['prefix']);
-	if ( empty($prefix) )
-		$prefix = 'wp_';
+	wp_magic_quotes();
 
+	$dbname  = trim( stripslashes( $_POST['dbname'] ) );
+	$uname   = trim( stripslashes( $_POST['uname'] ) );
+	$passwrd = trim( stripslashes( $_POST['pwd'] ) );
+	$dbhost  = trim( $_POST['dbhost'] );
+	$prefix  = trim( $_POST['prefix'] );
+
+	$tryagain_link = '</p><p class="step"><a href="setup-config.php?step=1" onclick="javascript:history.go(-1);return false;" class="button">' . __( 'Try Again' ) . '</a>';
+
+	if ( empty( $prefix ) )
+		wp_die( __( '<strong>ERROR</strong>: "Table Prefix" must not be empty.' . $tryagain_link ) );
+
 	// Validate $prefix: it can only contain letters, numbers and underscores
 	if ( preg_match( '|[^a-z0-9_]|i', $prefix ) )
-		wp_die( __( '<strong>ERROR</strong>: "Table Prefix" can only contain numbers, letters, and underscores.' ) );
+		wp_die( __( '<strong>ERROR</strong>: "Table Prefix" can only contain numbers, letters, and underscores.' . $tryagain_link ) );
 
 	// Test the db connection.
 	/**#@+
@@ -176,10 +182,8 @@
 
 	// We'll fail here if the values are no good.
 	require_wp_db();
-	if ( ! empty( $wpdb->error ) ) {
-		$back = '<p class="step"><a href="setup-config.php?step=1" onclick="javascript:history.go(-1);return false;" class="button">' . __( 'Try Again' ) . '</a></p>';
-		wp_die( $wpdb->error->get_error_message() . $back );
-	}
+	if ( ! empty( $wpdb->error ) )
+		wp_die( $wpdb->error->get_error_message() . $tryagain_link );
 
 	// Fetch or generate keys and salts.
 	$no_api = isset( $_POST['noapi'] );
@@ -227,6 +231,9 @@
 			case 'DB_NAME'     :
 			case 'DB_USER'     :
 			case 'DB_PASSWORD' :
+				$value = addcslashes( constant( $constant ), "\\'" );
+				$line = "define('" . $constant . "'," . $padding . "'" . $value . "');\r\n";
+				break;
 			case 'DB_HOST'     :
 				$line = "define('" . $constant . "'," . $padding . "'" . constant( $constant ) . "');\r\n";
 				break;