String Escape / Unescape

Escaping adds special characters (backslashes, etc.) to make a string safe within a specific context without changing the underlying data representation. For example, a JSON string "He said \"hello\"" escapes the inner quotes. URL encoding (percent-encoding) transforms characters into %XX sequences — this is technically encoding, not just escaping. HTML escaping converts < to &lt; so it is treated as text, not markup. Both change how the string is represented, but the decoded/unescaped value remains the same.

URL encoding (percent-encoding) is for query strings and URL path segments: encodeURIComponent("a b") → "a%20b". Use it when building URLs dynamically. HTML entity encoding is for embedding text in HTML markup: "<script>" → "&lt;script&gt;". Use it when outputting user-provided content into HTML (to prevent XSS). JSON escaping is for embedding strings in JSON payloads or JavaScript code. Each has its own context — using the wrong one is a security risk.

JavaScript and C use backslash escapes within string literals: \n (newline), \t (tab), \r (carriage return), \\ (literal backslash), \" (double quote), \' (single quote), \0 (null byte), \uXXXX (Unicode code point). This escaping is needed when embedding a string in source code. For example, if you have a string containing a newline, in JSON it is represented as \n, in a JS string literal also as \n.

SQL escaping replaces single quotes (the string delimiter in SQL) with doubled single quotes (''). For example, O'Brien becomes O''Brien in a SQL string. This prevents SQL injection but is NOT a substitute for parameterized queries — use prepared statements instead. This tool shows what SQL-escaped output looks like, but always prefer parameterized queries in production code: INSERT INTO users (name) VALUES ($1) with the value passed separately.

Regular expression escaping adds backslashes before characters with special meaning in regex patterns: . * + ? ^ $ { } [ ] ( ) | \. For example, the string "1.0" as a regex pattern matches "1X0" (dot matches any character). Escaped: "1\.0" only matches the literal string "1.0". Use regex escaping when constructing regex patterns from user input: new RegExp(escapeRegExp(userInput)).