diff --git a/wp-admin/setup-config.php b/wp-admin/setup-config.php
index 98618900cb..6298ad5e75 100644
--- a/wp-admin/setup-config.php
+++ b/wp-admin/setup-config.php
@@ -157,7 +157,12 @@ switch($step) {
 	$passwrd = trim($_POST['pwd']);
 	$dbhost  = trim($_POST['dbhost']);
 	$prefix  = trim($_POST['prefix']);
-	if (empty($prefix)) $prefix = 'wp_';
+	if ( empty($prefix) )
+		$prefix = 'wp_';
+
+	// Validate $prefix: it can only contain letters, numbers and underscores 
+	if ( preg_match( '|[^a-z0-9_]|i', $prefix ) ) 
+		wp_die( /*WP_I18N_BAD_PREFIX*/'<strong>ERROR</strong>: "Table Prefix" can only contain numbers, letters, and underscores.'/*/WP_I18N_BAD_PREFIX*/ ); 
 
 	// Test the db connection.
 	/**#@+