diff --git a/adm/admin.lib.php b/adm/admin.lib.php
index 31f765e45..daf6383c7 100644
--- a/adm/admin.lib.php
+++ b/adm/admin.lib.php
@@ -477,7 +477,7 @@ function admin_check_xss_params($params){
 
         if( is_array($value) ){
             admin_check_xss_params($value);
-        } else if ( preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/[onload|onerror]=.*/ius', $value)) ){
+        } else if ( (preg_match('/<\s?[^\>]*\/?\s?>/i', $value) && (preg_match('/script.*?\/script/ius', $value) || preg_match('/[onload|onerror]=.*/ius', $value))) || preg_match('/^(?=.*get_ajax_token\()(?=.*xmlhttprequest\()(?=.*send\().*$/im', $value) ){
             alert('요청 쿼리에 잘못된 스크립트문장이 있습니다.\\nXSS 공격일수도 있습니다.');
             die();
         }
diff --git a/adm/board_form.php b/adm/board_form.php
index 3e60031d2..f75650a74 100644
--- a/adm/board_form.php
+++ b/adm/board_form.php
@@ -82,6 +82,7 @@ if (!isset($board['bo_use_captcha'])) {
 
 $required = "";
 $readonly = "";
+$sound_only = "";
 if ($w == '') {
 
     $html_title .= ' 생성';
diff --git a/install/ajax.install.check.php b/install/ajax.install.check.php
index fd5616f73..a6fc82f2c 100644
--- a/install/ajax.install.check.php
+++ b/install/ajax.install.check.php
@@ -15,6 +15,10 @@ if (file_exists($dbconfig_file)) {
     die(install_json_msg('프로그램이 이미 설치되어 있습니다.'));
 }
 
+if (preg_match("/[^0-9a-z_]+/i", $_POST['table_prefix']) ) {
+    die(install_json_msg('TABLE명 접두사는 영문자, 숫자, _ 만 입력하세요.'));
+}
+
 $mysql_host  = safe_install_string_check($_POST['mysql_host'], 'json');
 $mysql_user  = safe_install_string_check($_POST['mysql_user'], 'json');
 $mysql_pass  = safe_install_string_check($_POST['mysql_pass'], 'json');
diff --git a/install/install_config.php b/install/install_config.php
index 468c89372..03d3f3e86 100644
--- a/install/install_config.php
+++ b/install/install_config.php
@@ -61,7 +61,7 @@ $ajax_token = md5($tmp_str.$_SERVER['REMOTE_ADDR'].$_SERVER['DOCUMENT_ROOT']);
         <th scope="row"><label for="table_prefix">TABLE명 접두사</label></th>
         <td>
             <input name="table_prefix" type="text" value="g5_" id="table_prefix">
-            <span>가능한 변경하지 마십시오.</span>
+            <span>TABLE명 접두사는 영문자, 숫자, _ 만 입력 가능합니다.</span>
         </td>
     </tr>
     </tbody>
diff --git a/install/install_db.php b/install/install_db.php
index 89e78a8ec..bd2a66acf 100644
--- a/install/install_db.php
+++ b/install/install_db.php
@@ -33,6 +33,10 @@ $admin_pass  = $_POST['admin_pass'];
 $admin_name  = $_POST['admin_name'];
 $admin_email = $_POST['admin_email'];
 
+if (preg_match("/[^0-9a-z_]+/i", $table_prefix) ) {
+    die('<div class="ins_inner"><p>TABLE명 접두사는 영문자, 숫자, _ 만 입력하세요.</p><div class="inner_btn"><a href="./install_config.php">뒤로가기</a></div></div>');
+}
+
 if (preg_match("/[^0-9a-z_]+/i", $admin_id)) {
     die('<div class="ins_inner"><p>관리자 아이디는 영문자, 숫자, _ 만 입력하세요.</p><div class="inner_btn"><a href="./install_config.php">뒤로가기</a></div></div>');
 }
@@ -340,10 +344,10 @@ $f = @fopen($file, 'a');
 
 fwrite($f, "<?php\n");
 fwrite($f, "if (!defined('_GNUBOARD_')) exit;\n");
-fwrite($f, "define('G5_MYSQL_HOST', '{$mysql_host}');\n");
-fwrite($f, "define('G5_MYSQL_USER', '{$mysql_user}');\n");
-fwrite($f, "define('G5_MYSQL_PASSWORD', '{$mysql_pass}');\n");
-fwrite($f, "define('G5_MYSQL_DB', '{$mysql_db}');\n");
+fwrite($f, "define('G5_MYSQL_HOST', '".addcslashes($mysql_host, "\\'")."');\n");
+fwrite($f, "define('G5_MYSQL_USER', '".addcslashes($mysql_user, "\\'")."');\n");
+fwrite($f, "define('G5_MYSQL_PASSWORD', '".addcslashes($mysql_pass, "\\'")."');\n");
+fwrite($f, "define('G5_MYSQL_DB', '".addcslashes($mysql_db, "\\'")."');\n");
 fwrite($f, "define('G5_MYSQL_SET_MODE', {$mysql_set_mode});\n\n");
 fwrite($f, "define('G5_TABLE_PREFIX', '{$table_prefix}');\n\n");
 fwrite($f, "\$g5['write_prefix'] = G5_TABLE_PREFIX.'write_'; // 게시판 테이블명 접두사\n\n");
diff --git a/lib/common.lib.php b/lib/common.lib.php
index 88f2c45cd..971960623 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -3070,6 +3070,22 @@ function clean_xss_attributes($str)
     return $str;
 }
 
+function clean_relative_paths($path){
+    $path_len = strlen($path);
+    
+    $i = 0;
+    while($i <= $path_len){
+        $result = str_replace('../', '', str_replace('\\', '/', $path));
+
+        if((string)$result === (string)$path) break;
+
+        $path = $result;
+        $i++;
+    }
+
+    return $path;
+}
+
 // unescape nl 얻기
 function conv_unescape_nl($str)
 {