SQL Escape
指导
SQL Escape
Escape special characters in strings for safe use in SQL queries. Supports multiple SQL dialects including MySQL, PostgreSQL, SQL Server, and SQLite. Prevents SQL injection by properly escaping quotes, backslashes, and other dangerous characters before they reach your database.
如何使用
Paste your raw string into the input area, select your SQL dialect, and click Escape. The tool applies dialect-specific escaping rules and outputs the safe string. Switch to Unescape mode to reverse the process and recover the original text from an escaped string.
特征
- 5 SQL Dialects – Generic/ANSI SQL, MySQL, PostgreSQL, SQL Server, and SQLite with dialect-specific escaping rules
- Escape & Unescape – Two-way conversion: escape raw strings for SQL or unescape SQL strings back to raw text
- Comprehensive Escaping – Handles single quotes, double quotes, backslashes, NUL bytes, newlines, carriage returns, and dialect-specific characters
- Ready-to-Use Output – Escaped strings ready to paste directly into SQL queries
- 复制到剪贴板 – One-click copy of the escaped result
- 仅客户端 – All processing happens in your browser with no data sent to any server
常问问题
-
Why do different SQL databases need different escaping?
Each SQL database engine has its own rules for handling special characters in strings. MySQL uses backslash escaping (\' for single quotes) while PostgreSQL and ANSI SQL use doubled single quotes (''). SQL Server uses doubled single quotes for strings but square brackets for identifiers. Using the wrong escaping method for your database can leave queries vulnerable to injection or cause syntax errors.
-
Should I use string escaping or parameterized queries?
Parameterized queries (prepared statements) are always the preferred approach for preventing SQL injection in production code. They separate the SQL structure from the data, making injection impossible by design. String escaping is useful for quick testing, debugging, writing one-off scripts, or situations where parameterized queries are not available. For any production application handling user input, always use parameterized queries.
-
What characters does SQL escaping handle?
SQL escaping handles characters that could break query syntax or enable injection attacks. The most important is the single quote ('), which delimits strings in SQL. Other escaped characters include double quotes ("), backslashes (\), NUL bytes (\0), newlines (\n), carriage returns (\r), and the SUB character (\Z in MySQL). The exact set of escaped characters varies by SQL dialect.
