diff -r f4323fa79313 -r 275c70f80137 install.php
--- a/install.php	Fri Nov 09 18:09:29 2007 -0500
+++ b/install.php	Fri Nov 09 23:39:52 2007 -0500
@@ -193,9 +193,8 @@
   $db_pass =& $_POST['db_pass'];
   $db_name =& $_POST['db_name'];
   
-  if ( !preg_match('/^[a-z0-9_]+$/', $db_name) )
+  if ( !preg_match('/^[a-z0-9_-]+$/', $db_name) )
   {
-    die('<pre>' . htmlspecialchars(print_r($_POST, true)) . '</pre>');
     $db_name = htmlspecialchars($db_name);
     die("<p>SECURITY: malformed database name \"$db_name\"</p>");
   }
@@ -244,9 +243,16 @@
           return false;
         }
       }
+      mysql_close($conn_root);
+      $conn = @mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']);
+      if ( !$conn )
+      {
+        // This should honestly never happen.
+        return false;
+      }
     }
   }
-  $q = @mysql_query("USE $db_name;", $conn);
+  $q = @mysql_query("USE `$db_name`;", $conn);
   if ( !$q )
   {
     // access denied to the database; try the whole root schenanegan again
@@ -259,7 +265,7 @@
         return false;
       }
       // create the database, if it doesn't exist
-      $q = @mysql_query("CREATE DATABASE IF NOT EXISTS $db_name;", $conn_root);
+      $q = @mysql_query("CREATE DATABASE IF NOT EXISTS `$db_name`;", $conn_root);
       if ( !$q )
       {
         // this really should never fail, so don't give any tolerance to it
@@ -269,26 +275,34 @@
       $db_user = mysql_real_escape_string($_POST['db_user']);
       $db_pass = mysql_real_escape_string($_POST['db_pass']);
       // we're in with root rights; grant access to the database
-      $q = @mysql_query("GRANT ALL PRIVILEGES ON $db_name.* TO '{$db_user}'@'localhost';", $conn_root);
+      $q = @mysql_query("GRANT ALL PRIVILEGES ON `$db_name`.* TO '{$db_user}'@'localhost';", $conn_root);
       if ( !$q )
       {
         return false;
       }
       if ( $_POST['db_host'] != 'localhost' && $_POST['db_host'] != '127.0.0.1' && $_POST['db_host'] != '::1' )
       {
-        $q = @mysql_query("GRANT ALL PRIVILEGES ON $db_name.* TO '{$db_user}'@'%';", $conn_root);
+        $q = @mysql_query("GRANT ALL PRIVILEGES ON `$db_name`.* TO '{$db_user}'@'%';", $conn_root);
         if ( !$q )
         {
           return false;
         }
       }
+      mysql_close($conn_root);
+      // grant tables have hopefully been flushed, kill and reconnect our regular user connection
+      mysql_close($conn);
+      $conn = @mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']);
+      if ( !$conn )
+      {
+        return false;
+      }
     }
     else
     {
       return false;
     }
     // try again
-    $q = @mysql_query("USE $db_name;", $conn);
+    $q = @mysql_query("USE `$db_name`;", $conn);
     if ( !$q )
     {
       // really failed this time; bail out