Which languages are supported?

JavaScript/TypeScript, Java, C/C++, JSON, SQL (single-quote doubling), CSV (RFC 4180 quoting) and POSIX shell single-quote escaping are all supported.

Why escape strings per language?

Each language uses different escape rules — SQL doubles single quotes, CSV wraps fields containing commas in quotes, and C-style languages use backslash sequences. Using the right scheme prevents syntax errors and injection bugs.

Does it help prevent SQL injection?

Escaping is a convenience for static values; for user input always use parameterised queries. This tool is best for quickly embedding known literals into code or config.

Can I round-trip a value by escaping then unescaping?

Yes. For each supported language, escaping and then unescaping returns the original text, so you can safely verify a literal before pasting it into source code.

Why does the JSON option differ from full JavaScript escaping?

JSON only permits a fixed set of escape sequences and always uses double quotes, whereas JavaScript also allows single-quoted strings and additional escapes. Choosing JSON keeps the output strictly valid inside a JSON document.

Is the shell escaping safe for any string?

The single-quote strategy used here safely encodes arbitrary text for POSIX shells. For maximum safety with untrusted input, still prefer passing arguments as an array to your process API rather than building a command string.

String Escape / Unescape

Pick a target language and paste your text to escape special characters for source code — or reverse it. Runs entirely in your browser.

Updated June 2026

Files never leave your browser

Language

Raw string

How to use String Escape / Unescape

The String Escape / Unescape tool prepares text for embedding inside source code across many languages — JavaScript, Java, C/C++, JSON, SQL, CSV and POSIX shell. Each language has its own rules for quoting and escaping special characters, and getting them wrong causes syntax errors or injection bugs. Pick a target language, paste your text, and the tool escapes (or unescapes) it according to that language's conventions, entirely in your browser so nothing is ever uploaded.

Select the target language or format from the selector.
Choose "Escape" to encode text for that language, or "Unescape" to decode it.
Paste the text you want to convert into the input area.
Review the escaped or unescaped output as it updates live.
Copy the result and paste it directly into your source file.

Your data never leaves your device — 100% private processing.

Why escaping rules differ between languages

Although most C-family languages share backslash escape sequences such as \n and \t, the details diverge in important ways. SQL string literals do not use backslashes at all in standard mode — a single quote inside a value is escaped by doubling it ('' ). CSV follows RFC 4180: a field is wrapped in double quotes if it contains a comma, a quote or a newline, and any embedded quotes are themselves doubled. POSIX shell single-quoted strings cannot contain a single quote at all, so the safe technique is to close the quote, insert an escaped quote, and reopen. Using the wrong scheme for the target context is a classic source of both bugs and security vulnerabilities like SQL injection.

Escaping conventions by language
Language	Quote escape	Mechanism
JavaScript / Java / C	\" or \'	Backslash sequences
JSON	\"	Backslash, double quotes only
SQL	''	Double the single quote
CSV	""	Wrap field, double quotes
Shell	'\''	Close, escape, reopen quote

Escaping is not a substitute for parameterisation

For SQL in particular, manually escaping a value is acceptable for known, static literals you are typing into a migration or seed script, but it is the wrong tool for handling user input at runtime. The robust defence against SQL injection is parameterised queries (prepared statements), where the database driver keeps data and code strictly separate. Likewise, when building shell commands programmatically, prefer passing arguments as an array to the process API rather than concatenating an escaped string. Treat this tool as a convenience for embedding fixed values into code and config, not as a security boundary for untrusted data.

Worked examples

Escape for SQL

Inputs: O'Brien

Result: O''Brien

Escape for CSV

Inputs: a,b "c"

Result: "a,b ""c"""

Glossary

Escape: To replace special characters with a representation that a particular language or format can store safely inside a literal.
RFC 4180: The specification that defines CSV formatting, including when and how to quote fields and escape embedded quotes.
Quote doubling: The SQL and CSV technique of representing a literal quote character by writing it twice.
Parameterised query: A database query where values are passed separately from the SQL text, the recommended defence against injection.
POSIX shell quoting: Rules for safely representing strings in a shell command, where single-quoted text is taken literally.

Frequently Asked Questions

Free · No spam

Get weekly tool tips & updates

New tools, power-user tips, and productivity hacks — delivered free every Friday.

No spam, ever. Unsubscribe with one click.

Why use String Escape / Unescape?

Escape text correctly for seven different languages and formats from one interface
Reverse the process to recover the original value from an escaped literal
Avoid syntax errors caused by unescaped quotes and backslashes in source code
Apply the right scheme automatically — SQL quote-doubling, CSV quoting, C-style backslashes
Runs locally in your browser, so confidential strings never leave your machine

Common use cases

Embed a path or regular expression containing backslashes into a Java or C source file
Quote a value containing a single quote for safe inclusion in a static SQL statement
Wrap a field containing commas and quotes for a valid CSV cell
Escape a string with spaces and special characters for a POSIX shell command
Prepare a string literal for a JavaScript or TypeScript constant

Related Developer Tools

JSON Escape / Unescape

Escape or unescape JSON strings online. Turn text into a safe JSON string literal, or decode an escaped string back to plain text. Free and in-browser.

URL Encoder / Decoder

Encode and decode URLs and URL components online. Convert special characters to percent-encoding and back instantly — free, private, and fast.

Base64 Encoder & Decoder

Encode text or files to Base64, or decode Base64 strings back to text. Fast, free, and runs entirely in your browser.

JSON Formatter & Validator

Format, validate, and minify JSON instantly. Includes syntax highlighting, error detection, and a collapsible tree view — free, private, in-browser.

Regex Tester

Test and debug regular expressions online. See live matches, capture groups, and replace output. Free, private, instant.

HTML Encoder / Decoder

Encode and decode HTML entities online. Escape <, >, &, and quote characters for safe HTML display. Free, instant, and private — runs in your browser.

Explore all Developer Tools.