diff --git a/Form/Type/Admin/ConfigType.php b/Form/Type/Admin/ConfigType.php
index f9b0e31..a73a931 100644
--- a/Form/Type/Admin/ConfigType.php
+++ b/Form/Type/Admin/ConfigType.php
@@ -9,6 +9,7 @@
 use Symfony\Component\Form\FormBuilderInterface;
 use Symfony\Component\Validator\Constraints\File;
 use Symfony\Component\Validator\Constraints\NotBlank;
+use Symfony\Component\Validator\Constraints\Regex;
 
 class ConfigType extends AbstractType
 {
@@ -36,10 +37,16 @@ public function buildForm(FormBuilderInterface $builder, array $options)
             ->add('auth_magic', TextType::class, [
                 'label' => 'AUTH_MAGIC',
                 'required' => true,
-                //'placeholder' => '',
                 'attr' => [
                     'placeholder' => "旧サイトのAUTH_MAGICを入力してください。",
                 ],
+                'constraints' => [
+                    new NotBlank(['message' => 'AUTH_MAGICを入力してください。']),
+                    new Regex([
+                        'pattern' => '/^[a-zA-Z0-9_\-\.]+$/',
+                        'message' => 'AUTH_MAGICには英数字、アンダースコア、ハイフン、ドットのみ使用できます。',
+                    ]),
+                ],
             ])
         ;
     }
diff --git a/Service/DataMigrationService.php b/Service/DataMigrationService.php
index 8493e03..13244f5 100644
--- a/Service/DataMigrationService.php
+++ b/Service/DataMigrationService.php
@@ -120,6 +120,12 @@ public function isVersion($version)
 
     public function updateEnv($newMagicValue)
     {
+        // 改行を除去し、安全な文字のみ許可（.envインジェクション対策）
+        $newMagicValue = str_replace(["\r", "\n"], '', $newMagicValue);
+        if (!preg_match('/^[a-zA-Z0-9_\-\.]+$/', $newMagicValue)) {
+            throw new \InvalidArgumentException('AUTH_MAGIC に使用できない文字が含まれています。');
+        }
+
         $projectDir = $this->params->get('kernel.project_dir');
         $envFile = $projectDir . '/.env';