Make SQL strings safe by escaping quotes and control characters, or reverse escaped text back to plain form. Pair with parameterized queries for stronger protection.
Parameterized queries (prepared statements) are the recommended way to prevent SQL injection. Use this tool when you need to escape literals and cannot use placeholders.
You paste a string or fragment that will go into a SQL query. Escape turns backslashes, single and double quotes, null bytes, and newline-style characters into backslash sequences so they do not break the query or change its meaning. Unescape reverses those sequences. Sanitize strips or removes characters and patterns often used in injection (semicolons, comment markers, and some keywords). Output is plain text you copy into your code or query builder.
Escaping alone does not guarantee safety. Dialects differ (MySQL vs PostgreSQL vs SQL Server), and context matters (string literal vs identifier vs number). This tool uses a small, predictable set of escape rules. For user-supplied or untrusted input, prefer parameterized queries or prepared statements so the database treats data as data. Use escaping for edge cases or legacy code where placeholders are not an option.
