Escape username and password in setup

This should not be a big issue since only privileged users should be
able to reach the setup, but it's good to have nevertheless.

Using prepared statements seemed unfortunately not possibly, so I had to
choose `mysqli_real_escape_string`.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>