SQL Escape
Escape text for SQL single-quoted string literals by doubling single quotes and escaping backslashes.
Example
Input:
O'Reilly said: C:\temp isn't 'safe'
Output (escaped body):
O''Reilly said: C:\\temp isn''t ''safe''
Use it in a query like:
INSERT INTO notes (txt) VALUES ('O''Reilly said: C:\\temp isn''t ''safe''');How it works
Paste any string and it instantly returns the escaped body, where each single quote becomes two single quotes and each backslash is doubled. Wrap the result in single quotes when building your query.
Good to know
SQL Escape takes any plain string and turns it into a body you can drop inside a single-quoted SQL string literal. It does exactly two transformations: every single quote becomes two single quotes, and every backslash becomes two backslashes. It's aimed at developers, data analysts, and anyone hand-writing INSERT/UPDATE statements, seed files, or one-off queries where a value contains apostrophes, Windows paths, or quoted phrases that would otherwise break the SQL.
Reach for it when you're building a query string by concatenation rather than binding parameters: pasting log lines into a debug query, generating a migration or fixture file, scripting a quick bulk insert, or fixing a value that keeps throwing a syntax error near an apostrophe. Because it runs entirely in your browser, it's also safe for sensitive data you'd rather not paste into a remote service.
The output box shows only the escaped body, not a complete literal, so you still need to wrap it yourself in single quotes when you assemble the statement. The status line above the panes is a sanity check, not just decoration: it reports how many quotes and backslashes were escaped, which helps you confirm the value actually changed and catch cases where you escaped the wrong field. If those counts are zero, the value had nothing to escape and is already safe to drop in as-is.
- Tip: the backslash doubling targets MySQL/MariaDB defaults; on PostgreSQL or SQLite, where backslashes are ordinary characters in standard literals, doubled backslashes will be stored literally as two characters, so escape only quotes (or use a parameterized query) if you need an exact one-backslash value there.
Frequently asked questions
Does this make my queries safe from SQL injection?
It correctly escapes single quotes and backslashes for single-quoted string literals, but parameterized queries (bound parameters) are still the recommended, safest approach. Use this for quick scripting, logging, or generating literals, not as your primary injection defense.
Why are backslashes doubled?
Some databases (notably MySQL/MariaDB with default settings) treat the backslash as an escape character inside string literals, so a single backslash can alter the string or escape the closing quote. Doubling backslashes keeps the literal intact on those engines; on engines that don't treat backslash specially, doubled backslashes are typically still safe within standard string literals.
Is my data uploaded anywhere?
No — this tool runs entirely in your browser. Your input never leaves your device and it works offline once loaded.
Is it free?
Yes, completely free with no sign-up and no limits.
People also ask
How do I escape a single quote in a SQL string?
Inside a single-quoted SQL literal you double the quote, so O'Reilly becomes 'O''Reilly'. This standard SQL escaping works across MySQL, PostgreSQL, SQL Server, SQLite, and Oracle.
What is the difference between escaping and parameterized queries?
Escaping rewrites the value so it fits safely inside a literal you build yourself, while a parameterized (prepared) query sends the SQL and the value separately so the database never parses the value as code. Parameterized queries are generally considered the more reliable defense against SQL injection.
Does PostgreSQL need backslashes escaped in strings?
By default PostgreSQL treats backslashes as ordinary characters in standard string literals, so they do not need doubling there; only single quotes do. Doubling backslashes for Postgres would store two backslash characters instead of one.
How do I insert a Windows file path into a SQL query?
Paths like C:\temp\file.txt contain backslashes that MySQL/MariaDB interpret as escape characters, so on those engines each backslash should be doubled inside the literal. On PostgreSQL or SQLite the single backslashes are usually fine as-is.
Why does my SQL query break when a value contains an apostrophe?
An unescaped apostrophe ends the string literal early, so the database reads the rest of the value as SQL and reports a syntax error. Doubling the quote (or binding the value as a parameter) keeps the literal intact.
Can I escape a value for a SQL LIKE pattern with this tool?
This tool handles only the string-literal level (quotes and backslashes), not the LIKE wildcard characters % and _. For LIKE patterns you also need to escape those wildcards separately, typically with an ESCAPE clause.
Is doubling backslashes safe on databases that don't use them as escapes?
On engines that treat backslash as an ordinary character, a doubled backslash is stored as two backslash characters rather than one, so the value changes. It is safe syntactically but may not match the exact string you intended, so escape backslashes only when the target engine requires it.
Related tools