diff --git a/setup/inc/class.setup.inc.php b/setup/inc/class.setup.inc.php
index 8204245b53..e5d1dc2b46 100644
--- a/setup/inc/class.setup.inc.php
+++ b/setup/inc/class.setup.inc.php
@@ -88,7 +88,7 @@ class setup
 		$this->detection = new setup_detection();
 		$this->process   = new setup_process();
 
-		if ($_REQUEST['system_charset']) $this->system_charset = $_REQUEST['system_charset'];
+		if (preg_match('/^[a-z0-9-]+$/i', $_REQUEST['system_charset'])) $this->system_charset = $_REQUEST['system_charset'];
 
 		/* The setup application needs these */
 		if ($html) $this->html = new setup_html();
diff --git a/setup/index.php b/setup/index.php
index 095da7ec5e..f40a4b7075 100644
--- a/setup/index.php
+++ b/setup/index.php
@@ -336,7 +336,7 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
 					{
 						$setup_info = $GLOBALS['egw_setup']->detection->upgrade_exclude($setup_info);
 						// Set the DB's client charset if a system-charset is set
-						if ($_REQUEST['system_charset'])
+						if (preg_match('/^[a-z0-9-]+$/i', $_REQUEST['system_charset']))
 						{
 							$GLOBALS['egw_setup']->system_charset = $_REQUEST['system_charset'];
 							$GLOBALS['egw_setup']->db->Link_ID->SetCharSet($_REQUEST['system_charset']);