SQL String Escaper

Escape single quotes and backslashes for safe SQL literals

Escape a string for use inside a SQL literal: double single quotes per the SQL standard, with an optional MySQL mode that also escapes backslashes and control characters. Wrap in quotes on demand. Runs entirely in your browser. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

How does standard SQL escape a string?

ANSI SQL escapes a single quote by doubling it, so O'Brien becomes O''Brien. That is the only escaping the standard requires inside a single-quoted string literal. This tool's Standard mode applies exactly that rule and nothing more.

Placing a value inside a SQL string literal means escaping it so a stray quote cannot break out of the string. This tool applies the correct rule for your dialect: ANSI quote-doubling, or MySQL’s additional backslash handling.

How it works

Standard SQL needs only quote-doubling. MySQL, by default, also treats the backslash as special, so more characters must be escaped:

Standard:  '  -> ''
MySQL:     '  -> ''    \ -> \\    NUL -> \0
           newline -> \n   carriage return -> \r   tab -> \t

In both modes the result is the body of the literal; turn on the wrap option to get it enclosed in single quotes as a ready-to-use literal.

When you actually need this

Ad-hoc database work. When running one-off queries in a database client — a psql or mysql shell, DBeaver, TablePlus — you may need to include a literal value that contains a single quote. A name like O'Brien, a file path like C:\Users\me, or a sentence of prose with apostrophes will all break the query without escaping. This tool handles it in one step.

Generating test fixtures and seed data. If you are writing a SQL seed file (an .sql file for seeding a test database), you may have dozens of literal string values that need to be properly escaped. Paste each value here to get the escaped body, then wrap it in your INSERT statements.

Understanding why a query is failing. If you are debugging a query that contains a string literal and it throws a syntax error, pasting the value here shows you immediately whether an unescaped character is the culprit.

Worked examples

Standard SQL (PostgreSQL, SQLite, SQL Server, Oracle):

Input: O'Brien's report

Escaped: O''Brien''s report

Wrapped: 'O''Brien''s report'

This form drops directly into a WHERE name = 'O''Brien''s report' clause.

MySQL mode:

Input: C:\temp\file

Escaped: C:\\temp\\file

Wrapped: 'C:\\temp\\file'

MySQL’s default string parsing treats \t as a tab character, \n as a newline, and \\ as a literal backslash. Without escaping the backslash, C:\temp would be interpreted as C: followed by a tab character and then emp.

The stronger alternative: parameterised queries

Manual escaping has a place for ad-hoc work, but it is fragile in application code. The correct approach for any query built from user input is to use parameterised queries (also called prepared statements or parameter binding). The database driver handles escaping internally, the query structure and the data are never mixed, and the result is immune to SQL injection regardless of what characters appear in the input.

# Python — parameterised (correct)
cursor.execute("SELECT * FROM users WHERE name = %s", (user_input,))

# String escaping (fragile, don't do this in production)
cursor.execute(f"SELECT * FROM users WHERE name = '{escape(user_input)}'")

Use this tool for the first scenario (ad-hoc shells, fixtures, learning) and parameterised queries for everything else.