diff --git a/server/channelserver/handlers_commands.go b/server/channelserver/handlers_commands.go
index 2dda089ba..611541547 100644
--- a/server/channelserver/handlers_commands.go
+++ b/server/channelserver/handlers_commands.go
@@ -258,7 +258,7 @@ func parseChatCommand(s *Session, command string) {
 		if commands["Rights"].Enabled || s.isOp() {
 			if len(args) > 1 {
 				v, err := strconv.Atoi(args[1])
-				if err != nil {
+				if err != nil || v < 0 || v > math.MaxUint32 {
 					sendServerChatMessage(s, fmt.Sprintf(s.server.i18n.commands.rights.error, commands["Rights"].Prefix))
 					return
 				}
diff --git a/server/setup/wizard.go b/server/setup/wizard.go
index ca05771bc..e6410a5a5 100644
--- a/server/setup/wizard.go
+++ b/server/setup/wizard.go
@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"net"
 	"os"
+
+	"github.com/lib/pq"
 )
 
 // clientModes returns all supported client version strings.
@@ -150,14 +152,7 @@ func createDatabase(host string, port int, user, password, dbName string) error
 	}
 	defer func() { _ = db.Close() }()
 
-	// Database names can't be parameterized; validate it's alphanumeric + underscores.
-	for _, c := range dbName {
-		if (c < 'a' || c > 'z') && (c < 'A' || c > 'Z') && (c < '0' || c > '9') && c != '_' {
-			return fmt.Errorf("invalid database name %q: only alphanumeric characters and underscores allowed", dbName)
-		}
-	}
-
-	_, err = db.Exec(fmt.Sprintf("CREATE DATABASE %s", dbName))
+	_, err = db.Exec("CREATE DATABASE " + pq.QuoteIdentifier(dbName))
 	if err != nil {
 		return fmt.Errorf("creating database: %w", err)
 	}