String Escape/Unescape

Frequently Asked Questions

What characters need to be escaped in JSON strings?

In JSON, you must escape: double quotes ("), backslash (\\), and control characters (\n for newline, \t for tab, \r for carriage return, \b for backspace, \f for form feed). Forward slashes (/) are optionally escapable. Unicode characters can be escaped as \uXXXX.

What is URL encoding and when should I use it?

URL encoding (percent-encoding) replaces unsafe characters with %XX where XX is the hex byte value. Spaces become %20 (or + in query strings), & becomes %26, = becomes %3D. Use encodeURIComponent() in JavaScript to encode individual query parameter values; use encodeURI() for full URLs.

What is the difference between HTML entity encoding and URL encoding?

HTML encoding converts characters that have meaning in HTML markup: & → &amp;, < → &lt;, > → &gt;, " → &quot;, ' → &#39;. URL encoding converts characters unsafe in URLs using %HH notation. Always HTML-encode user content before inserting into HTML to prevent XSS attacks.

How do I escape a string for use in a SQL query?

SQL escaping replaces single quotes with two single quotes (' → '') and escapes backslashes in MySQL. However, string escaping alone is not sufficient for SQL injection prevention — always use parameterized queries or prepared statements. This tool is useful for understanding what escaping looks like, not as a security solution.

What characters need to be escaped in regular expressions?

Regex metacharacters that need escaping with a backslash: . ^ $ * + ? { } [ ] \ | ( ). For example, to match a literal dot in a regex, use \. — otherwise . matches any character. In JavaScript, use RegExp.escape() or a utility like escapeRegExp() to safely escape user input for regex.