diff --git a/src/store/adapters/postgres.rs b/src/store/adapters/postgres.rs
index cd3c4d4a..05d5e59d 100644
--- a/src/store/adapters/postgres.rs
+++ b/src/store/adapters/postgres.rs
@@ -51,6 +51,21 @@ pub async fn migrate(config: &StoreConfig) -> Result<()> {
             .await?;
 
     if !row.0 {
+        // `CREATE DATABASE` does not accept bind parameters for the database
+        // name. but this is not a critical SQL injection as the database name is not untrusted
+        // user input. nevertheless, let's validate DB identifiers to prevent the worst.
+        if !config
+            .pg
+            .database_name
+            .chars()
+            .all(|c| matches!(c, 'a'..='z' | 'A'..='Z' | '0'..='9' | '_'))
+        {
+            return Err(anyhow!(
+                "invalid database_name {:?}: only ASCII alphanumerics and underscores are allowed",
+                &config.pg.database_name
+            ));
+        }
+
         println!("Creating database {}", &config.pg.database_name);
         sqlx::query(format!("CREATE DATABASE {}", &config.pg.database_name).as_str())
             .execute(&default_pool)