SQL Escape / Unescape

Escape special characters in SQL string literals to prevent syntax errors and SQL injection. Supports ANSI SQL standard (doubling single quotes) and MySQL dialect (backslash sequences). Unescape SQL strings back to readable form.

Last updated: May 28, 2026

String value to escape

Dialect:

Output

Standard SQL: single quote → '' (doubled). MySQL: also escapes backslash, newline, null, and more. In application code, always prefer parameterised queries over manual escaping.

Client-Side Processing

Input Data Stays on Device

Instant Local Execution

Find this tool useful? Support the project to keep it free!

Buy me a coffee

What is SQL Escape / Unescape?

SQL escaping converts characters that would break a SQL string literal into safe representations the database engine can parse correctly. The single quote is the most critical — an unescaped quote inside a string terminates it early, causing a syntax error or, worse, creating an injection vulnerability.

Two escaping conventions are widely used: ANSI SQL standard doubles the single quote (' → ''), which works across most databases (PostgreSQL, SQL Server, SQLite, Oracle). MySQL additionally supports backslash escaping (' for single quote, \n for newline, \\ for backslash). This tool handles both.

Important: parameterised queries and prepared statements are the correct solution for handling user input in production SQL. This tool is for manual SQL editing, debugging, migration scripts, and learning.

How to Use SQL Escape / Unescape

Paste the string you want to embed in a SQL query

Select the dialect — Standard SQL or MySQL

Click "Escape SQL" to produce the escaped string

Copy the result and wrap it in single quotes inside your SQL statement

Use "Unescape SQL" to reverse the operation when reading escaped strings

Common Use Cases

Database administrators escaping names, descriptions, or notes before inserting them in migration scripts.
Developers building one-off SQL statements for data repair or backfill tasks where parameterised queries are unavailable.
Data engineers sanitising CSV import values before embedding them in bulk INSERT statements.
QA engineers verifying that an application's SQL escaping layer handles single quotes, newlines, and null bytes correctly.
Security engineers checking how input containing O'Brien, quotes, or backslashes survives through a SQL generation path.

Example Input and Output

Escaping a product name containing a single quote and an ampersand before inserting it into a SQL statement.

Raw string value

O'Brien & Sons "Premium" Line

SQL-escaped output

O''Brien & Sons "Premium" Line

Use parameterised queries in code

For application code, always use prepared statements or parameterised queries instead of manual escaping. This tool is intended for manual SQL work, not for securing dynamic queries.

Browser-side only

Escaping and unescaping happen entirely in your browser. Your SQL content is never sent to any server.

Frequently Asked Questions

Should I use this tool for application code?

No. In application code, always use parameterised queries or prepared statements. SQL escaping by hand is error-prone and not a reliable defence against SQL injection in dynamic code. This tool is for manual SQL editing and migration scripts.

What is the difference between Standard SQL and MySQL escaping?

Standard SQL escapes a single quote by doubling it: ' becomes ''. MySQL also supports backslash escaping: \' for single quote, \\ for backslash, \n for newline, \r for carriage return, \0 for null, \" for double quote.

Does this protect against SQL injection?

Manual string escaping reduces risk but is not a complete defence. Edge cases, encoding differences, and multi-byte character issues can still create vulnerabilities. Use parameterised queries for all user-provided values.

Which databases use standard SQL doubling?

PostgreSQL, SQL Server (T-SQL), SQLite, Oracle, and most ANSI-compatible databases accept doubled single quotes. MySQL accepts both styles — standard doubling and backslash escaping.

Is my SQL content sent to a server?

No. All escaping and unescaping runs in your browser. No data is transmitted.

Related Tools

String Escape / Unescape

Escape or unescape strings for JSON, JavaScript, HTML, URL, CSV, and RegEx contexts — instantly.

HTML Escape / Unescape

Escape and unescape HTML special characters (&, <, >, ", ') on a single page.

XML Escape / Unescape

Escape special XML characters (&, <, >, ", ') to entities and unescape them back. Required for valid XML.

SQL Formatter

Format and beautify SQL queries.

URL Encoder/Decoder

Encode and decode URL strings with special characters.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text.