Placing a value inside a SQL string literal means escaping it so a stray quote cannot break out of the string. This tool applies the correct rule for your dialect: ANSI quote-doubling, or MySQL’s additional backslash handling.
How it works
Standard SQL needs only quote-doubling. MySQL, by default, also treats the backslash as special, so more characters must be escaped:
Standard: ' -> ''
MySQL: ' -> '' \ -> \\ NUL -> \0
newline -> \n carriage return -> \r tab -> \t
In both modes the result is the body of the literal; turn on the wrap option to get it enclosed in single quotes as a ready-to-use literal.
When you actually need this
Ad-hoc database work. When running one-off queries in a database client — a psql or mysql shell, DBeaver, TablePlus — you may need to include a literal value that contains a single quote. A name like O'Brien, a file path like C:\Users\me, or a sentence of prose with apostrophes will all break the query without escaping. This tool handles it in one step.
Generating test fixtures and seed data. If you are writing a SQL seed file (an .sql file for seeding a test database), you may have dozens of literal string values that need to be properly escaped. Paste each value here to get the escaped body, then wrap it in your INSERT statements.
Understanding why a query is failing. If you are debugging a query that contains a string literal and it throws a syntax error, pasting the value here shows you immediately whether an unescaped character is the culprit.
Worked examples
Standard SQL (PostgreSQL, SQLite, SQL Server, Oracle):
Input: O'Brien's report
Escaped: O''Brien''s report
Wrapped: 'O''Brien''s report'
This form drops directly into a WHERE name = 'O''Brien''s report' clause.
MySQL mode:
Input: C:\temp\file
Escaped: C:\\temp\\file
Wrapped: 'C:\\temp\\file'
MySQL’s default string parsing treats \t as a tab character, \n as a newline, and \\ as a literal backslash. Without escaping the backslash, C:\temp would be interpreted as C: followed by a tab character and then emp.
The stronger alternative: parameterised queries
Manual escaping has a place for ad-hoc work, but it is fragile in application code. The correct approach for any query built from user input is to use parameterised queries (also called prepared statements or parameter binding). The database driver handles escaping internally, the query structure and the data are never mixed, and the result is immune to SQL injection regardless of what characters appear in the input.
# Python — parameterised (correct)
cursor.execute("SELECT * FROM users WHERE name = %s", (user_input,))
# String escaping (fragile, don't do this in production)
cursor.execute(f"SELECT * FROM users WHERE name = '{escape(user_input)}'")
Use this tool for the first scenario (ad-hoc shells, fixtures, learning) and parameterised queries for everything else.