What does it mean to escape a string?

Escaping rewrites characters that have a special meaning in a given syntax so they are treated as plain data instead. For example, a double quote inside a JSON string must become \" so it does not end the string early. Each target language has its own rules, and this tool applies the correct one for JSON, JavaScript, CSV, SQL, regex and shell.

How is JavaScript escaping different from JSON escaping?

JSON only needs to be valid inside double quotes, so it escapes backslashes, double quotes and control characters. JavaScript string literals can use single quotes, double quotes or backticks, so this tool additionally escapes the single quote and backtick, giving you a body that is safe to drop into any of the three quote styles.

How does CSV escaping work?

It follows RFC 4180. A field is only wrapped in double quotes when it contains a comma, a double quote or a line break, and any double quote inside the field is doubled (a single double-quote becomes two). Plain values with none of those characters are left untouched so the output stays readable.

Is escaping a safe way to prevent SQL injection?

Escaping single quotes by doubling them is the ANSI SQL rule and is what this tool does, but you should still prefer parameterised queries or prepared statements. They separate code from data at the driver level and are far harder to get wrong than manual escaping, which can miss edge cases such as differing quote modes or character sets.

What does the regex target do?

It treats your input as a literal you want to match and backslash-escapes every regular-expression metacharacter — characters like dot, star, plus, question mark, parentheses, brackets, braces, the pipe and the backslash itself. The result is a pattern that matches your text exactly, with no special behaviour.

How is shell escaping done?

It uses POSIX single-quote escaping: the whole value is wrapped in single quotes and any internal single quote is rewritten as the standard four-character sequence that closes the quote, adds an escaped quote, then reopens it. This is the most robust way to pass an arbitrary argument to sh or bash without the shell interpreting it.

String Escape Tool — Gera Tools

The String Escape Tool converts a piece of text into a form that is safe to embed inside six different syntaxes at once — JSON, JavaScript, CSV, SQL, regex and the POSIX shell — and can reverse each one too. It is built for developers who are forever copying a tricky value (one with quotes, commas, newlines or backslashes) into a config file, a SQL console, a shell command or a regular expression, and want the escaping handled correctly the first time rather than debugging a mangled string later.

How it works

Pick a direction at the top. In Escape mode you paste raw text and the tool shows, for every target, the version you can safely embed. In Unescape mode you paste an already-escaped string and get the original text back. Results recalculate live as you type, and each target has its own copy button, so you can grab exactly the format you need. A filter box lets you narrow the list to a single target when you only care about, say, SQL.

Each target applies its real rule. JSON uses the browser’s own serialiser, so control characters become \uXXXX and quotes, tabs and newlines are encoded exactly as a valid JSON string body. JavaScript does the same but also escapes single quotes and backticks so the body is safe inside '...', "..." or a template literal. CSV follows RFC 4180: it only quotes a field that contains a comma, quote or line break, and doubles any internal quote. SQL doubles single quotes, the ANSI rule for string literals. Regex backslash-escapes every metacharacter so your text matches itself literally. Shell wraps the value in single quotes and rewrites internal single quotes, the bullet-proof POSIX way to pass an argument.

Example

Take the awkward value O'Brien, "the boss". Escaped for each target it becomes:

Target	Escaped output
JSON	`O'Brien, \"the boss\"`
SQL	`O''Brien, "the boss"`
CSV	`"O'Brien, ""the boss"""`
Shell	`'O'\''Brien, "the boss"'`

Notice how the same input needs four completely different treatments. The CSV version gets wrapped and its quotes doubled because of the comma; SQL only touches the single quote; the shell version escapes the apostrophe but leaves the double quotes alone. Getting any of these by hand is easy to fumble — the tool does each one correctly and gives you a copy button per format. Everything is computed in your browser, so no text is ever uploaded or stored.