sql-encoder
A SQL string escaper produces a safely-quotable string literal for inclusion in a SQL statement β replacing single quotes with the dialect-correct doubled or backslashed form, handling backslashes, NUL bytes, newlines, and other special characters that vary by database (MySQL backslash escapes, PostgreSQL standard-conforming strings, SQLite quote-doubling). The ZTools SQL Encoder is for generating safe ad-hoc query strings for migrations, debugging, or one-off tooling. It is NOT a substitute for parameterised queries in production code β always use prepared statements with bind parameters as the primary defence against SQL injection.
Use casesβ
Ad-hoc data migrationsβ
A one-off CSV-to-SQL conversion. Escape each value before composing INSERT statements; load via psql / mysql client.
Debugging by hand-crafted queryβ
Reproducing an issue with specific input that contains apostrophes or backslashes. Escape correctly so the manual query runs without a syntax error.
Generating seed scriptsβ
Test fixtures with multilingual content (apostrophes, accented characters, smart quotes). Escape into safe SQL literals.
Reporting tools that emit SQLβ
A reporting harness builds queries dynamically. Escape input values rather than concatenating raw strings.
How it worksβ
- Pick the dialect β MySQL, PostgreSQL, SQLite, MSSQL, Oracle. Each escapes slightly differently.
- Paste the raw string β Whatever you want to embed inside single-quoted SQL literals.
- Encode β Apply dialect-specific rules: PostgreSQL doubles single quotes (
''); MySQL with backslash mode replaces with\\'; SQLite always doubles. - Wrap in quotes β Optionally produce the full quoted literal
'...'ready to paste into a query. - Copy β Output to clipboard. Always paste into a query you control β never use generated SQL with untrusted input in production.
Examplesβ
Input: O'Reilly (PostgreSQL)
Output: O''Reilly
Input: Hello\nWorld (MySQL)
Output: Hello\\nWorld
Input: Standard-conforming PostgreSQL with E'\\'
Output: E'\\\\' literal
Frequently asked questionsβ
Should I use this in production?
No. Production code MUST use parameterised queries (prepared statements with bind parameters). The escaper is for one-off scripts and debugging; even slightly wrong escapes lead to SQL injection.
Why do dialects escape differently?
Historical accident. PostgreSQL's standard-conforming strings double the quote (''). MySQL added backslash escapes for C-style strings. SQLite doubles. Dialect-specific encoding is the only safe default.
Does it handle NUL bytes?
PostgreSQL forbids NUL in TEXT columns; MySQL escapes as \\0. The encoder warns when NUL bytes are present.
What about Unicode / emoji?
Most modern databases store Unicode natively as UTF-8. Pass through as-is unless the database encoding is non-UTF-8.
How do I generate parameterised queries?
Outside this tool β your language's database driver provides bind-parameter APIs (e.g. ? placeholders + array of values). The escaper is only for direct-string-injection contexts.
Are stored-procedure call arguments different?
They use the same string-literal rules. Bind parameters are still preferred where supported.
Tipsβ
- Default to parameterised queries β the escaper is for ad-hoc tooling only.
- Pick the right dialect. MySQL escapes are wrong on PostgreSQL and vice-versa.
- For multi-line strings, use the dialect's string literal escapes (
\\nMySQL,chr(10)PostgreSQL's standard mode). - After generating, paste into a SQL editor first and run EXPLAIN β verify the syntax is right before running on real data.
- Document any generated SQL clearly β readers may not realise values came from a templating step.
Try it nowβ
The full sql-encoder runs in your browser at https://ztools.zaions.com/sql-encoder β no signup, no upload, no data leaves your device.
Last updated: 2026-05-05 Β· Author: Ahsan Mahmood Β· Edit this page on GitHub