How do you escape a single quote in SQL?

Double it. A literal apostrophe inside a SQL string is written as two single quotes — 'it''s' represents the value it's. This is the ANSI SQL standard and works in MySQL, PostgreSQL, SQLite, SQL Server and Oracle. This tool wraps your text in single quotes and doubles any apostrophe automatically.

Is SQL escaping a safe substitute for parameterized queries?

No. Escaping helps you build a valid string literal, but the robust defence against SQL injection is parameterized queries / prepared statements, which separate code from data entirely. Use this tool for ad-hoc scripts, migrations and seed data — not as your application's primary input handling.

Do MySQL and PostgreSQL escape strings differently?

The portable rule — doubling single quotes — works in both. MySQL also accepts backslash escapes (\') by default, while PostgreSQL treats backslashes literally unless you use an E'' string. To stay portable, this tool uses standard quote-doubling, which every major engine understands.

Does the tool upload my SQL anywhere?

No. All escaping and unescaping runs locally in your browser. Your queries, table names and seed values never leave your device — safe for production data.

How do I unescape a SQL string literal?

Paste the quoted literal (e.g. 'it''s') and click Unescape. The tool strips the surrounding quotes and collapses each doubled '' back to a single apostrophe, returning the original value.

SQL Escape - Escape & Unescape SQL Strings Online

SQL Escape & Unescape — safe SQL string literals

SQL string literals are delimited by single quotes, so any apostrophe in your data must be escaped or the statement breaks (and becomes injectable). The portable, standard rule is quote doubling: every ' becomes ''. This tool wraps your text and doubles the quotes for you, and reverses it — all in your browser.

Example

The value O'Brien escapes to:

'O''Brien'

⚠️ Escaping is not injection protection

Doubling quotes produces a valid literal, but the real defence against SQL injection is parameterized queries / prepared statements, which keep data out of the SQL text entirely. Use this tool for migrations, seed data and quick scripts — not as your app's input layer.

Dialect note

Quote doubling works everywhere (MySQL, PostgreSQL, SQLite, SQL Server, Oracle). MySQL additionally allows \' backslash escapes; PostgreSQL needs an E'' string for those. This tool emits the portable doubled-quote form on purpose.

Related escape tools

String Escaper — all-format hub
JSON Escape — for .json values
CSV Escape — escape CSV fields

SQL Escape / Unescape

Free SQL escape & unescape tool — single-quote doubling for MySQL, PostgreSQL, SQLite

SQL Escape & Unescape — safe SQL string literals

Example

⚠️ Escaping is not injection protection

Dialect note

Related escape tools