SQL Escape
Escape or unescape a string for safe inclusion in a SQL string literal — doubles single quotes for standard/ANSI SQL, PostgreSQL, SQL Server and SQLite, or applies MySQL's traditional backslash-escaping (backslashes, quotes, newlines, NUL, Ctrl-Z) for MySQL. Also builds a ready-to-paste quoted snippet. For ad-hoc/manual SQL only — always use parameterized queries (prepared statements) in application code instead of string concatenation.
Input
For building literals in ad-hoc/manual SQL only. This is not a substitute for parameterized queries (prepared statements) — never build queries by concatenating escaped strings in application code.
MySQL's traditional escaping also backslash-escapes backslashes, quotes and control characters — different from the plain '' quote-doubling every other dialect here uses. Pick the wrong one and the output can be invalid, or unsafe, for your target database.
Output
The escaped result wrapped in the quote syntax for the chosen dialect, ready to paste into a query. Empty in Unescape mode.
Guides
Paste a string and get back a version that's safe to drop inside a SQL string literal — single quotes doubled, and for MySQL's traditional escaping mode, backslashes and control characters escaped too. This tool is for building literals in ad-hoc, manual SQL — a one-off query in a database console, a quick script, a support ticket. It is not, and cannot be, a substitute for parameterized queries (prepared statements) in application code. If you're building queries programmatically, bind values as parameters and let your database driver handle escaping — never concatenate escaped strings into SQL yourself, even with a tool like this one. String concatenation is exactly the pattern that leads to SQL injection.
How this tool works
- Paste your text into Input Text.
- Choose the SQL Dialect you're targeting: Generic/ANSI SQL, MySQL, PostgreSQL, SQL Server, or SQLite.
- Choose Escape to make the string literal-safe, or Unescape to reverse a previously escaped string back to plain text.
The Escaped Result box holds just the escaped (or unescaped) text. The SQL Snippet box wraps that result in the quote syntax your dialect expects, so you can paste it straight into a query (e.g. 'O''Reilly', or N'...' for SQL Server). The snippet is left blank in Unescape mode, since there's nothing left to quote.
ANSI/standard escaping vs. MySQL's traditional escaping
Standard SQL — and PostgreSQL, SQL Server and SQLite as implemented here — only requires doubling single quotes: ' becomes ''. That's the entire rule; backslashes are treated as ordinary characters.
MySQL's traditional escaping is different, and conflating the two is a real source of bugs. Instead of doubling quotes, MySQL backslash-escapes: \ becomes \\, ' becomes \', " becomes \", and newline, carriage return, NUL, and Ctrl-Z become \n, \r, \0, \Z respectively. Escaping a MySQL string with the ANSI rule (or vice versa) can leave a stray backslash or an unescaped quote in the output — at best a syntax error, at worst a broken escaping boundary an attacker can exploit. Pick the dialect that matches your actual database.
PostgreSQL is a partial exception worth knowing: a backslash is only an escape character inside an E'...' (escape) string, not a plain '...' string. This tool's SQL Snippet output adds the E prefix automatically whenever the escaped text contains a backslash.
Unescape mode
Already have an escaped value — from a log file, an old query, or a database export — and want the original text back? Switch Mode to Unescape and pick the same dialect that produced it. The tool reverses the doubling or backslash-escaping to recover the original string.
Why not just use this to build my query?
Because escaping is inherently fragile: it depends on getting the dialect, the character set, and the quoting context exactly right, and a single missed case can reopen the door to SQL injection. Parameterized queries sidestep the whole problem — the database driver sends your value separately from the SQL text, so it's never interpreted as SQL no matter what characters it contains. Use this tool for genuinely manual, human-typed SQL; use bound parameters everywhere else.
Privacy
This tool runs entirely in your browser. Your text is never uploaded to a server.