Does this replace parameterized queries / prepared statements?

No. Parameterized queries are always the preferred defense against SQL injection. Use this tool for quick debugging, seed scripts, or situations where a query builder is unavailable — not as a substitute for proper input binding.

What characters get escaped?

At minimum: single quotes (') are doubled or backslash-escaped, and backslashes are doubled (for dialects that treat \ as escape). NULL bytes and control characters are hex-escaped when the dialect supports it.

Why are the rules different for each dialect?

MySQL uses backslash escaping by default (\'). PostgreSQL and SQLite use standard SQL doubling ('') and do not treat backslash as special outside dollar-quoted strings. MSSQL uses doubling like PostgreSQL but also escapes square brackets in identifiers.

How do you escape a string in SQL?

Double every single quote (' becomes '') so the database treats it as a literal character, not a string terminator. In MySQL you can also backslash-escape (\'). Paste your text above to get the correct form for your dialect.

Is my input sent to a server?

No. All escaping logic runs entirely in your browser via JavaScript. Nothing you type is transmitted anywhere.

How do I use the escaped output in a query?

Wrap the escaped value in single quotes in your SQL: SELECT * FROM users WHERE name = ' '. Enable the "Wrap in quotes" toggle to include those quotes automatically.

SQL String Escape Tool

Name: SQL String Escape Tool
Availability: InStock
Author: Nham Vu

Escape single quotes, backslashes, and special characters in strings for safe SQL queries.

Raw String Input

Options

SQL Dialect

Wrap output in single quotes

Escaped Output

Escape Rules by Dialect

Dialect	Single quote	Backslash	NULL byte
MySQL	\'	\\	\0
PostgreSQL	''	no change	removed
SQLite	''	no change	removed
MSSQL	''	no change	removed

Summary

Escape single quotes, backslashes, and special characters in strings for safe SQL queries.

How it works

Paste or type your raw string into the input field.
Select the SQL dialect that matches your database (MySQL, PostgreSQL, SQLite, or MSSQL).
The escaped output appears instantly, ready to paste into your SQL statement.
Use the Copy button to copy the escaped value to your clipboard.
Toggle "Wrap in quotes" to include the surrounding single quotes in the output.

Use cases

Escape user-supplied input before building a raw SQL query string.
Prepare string literals for database seed scripts and migration files.
Debug query building by seeing exactly how a value will appear inside SQL.
Convert multi-line or binary strings into SQL-safe representations.
Test escaping behavior across different database engines.
Quickly escape JSON blobs or HTML snippets stored in TEXT columns.

Frequently Asked Questions

Last updated: 2026-06-09 · Reviewed by Nham Vu