Skip to content
BEAD

SQL Escape / Unescape

Safely quote string literals for ANSI, MySQL, or PostgreSQL — and reverse it.

Safe SQL literal
</>Use this tool programmaticallycurl · JavaScript · MCP

Same tool, callable from any HTTP client or from Claude (via MCP). Anonymous: 100 req/day per IP. Sign up for 1,000 req/day.

curl
curl https://api.b-e-a-d.com/tools/sql-escape/run \
  -H "Content-Type: application/json" \
  -d '{
  "mode": "escape",
  "dialect": "ansi",
  "input": "your input here",
  "wrapInQuotes": true
}'
JavaScript (fetch)
const res = await fetch("https://api.b-e-a-d.com/tools/sql-escape/run", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
  "mode": "escape",
  "dialect": "ansi",
  "input": "your input here",
  "wrapInQuotes": true
}),
});
const data = await res.json();
console.log(data.result);
MCP (Claude Desktop / Claude Code)
# In Claude Desktop / Claude Code, add to your MCP config:
{
  "mcpServers": {
    "bead": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://mcp.b-e-a-d.com"]
    }
  }
}

# Then ask Claude to call:
mcp__bead__bead_sql_escape

Full reference: developer docs · OpenAPI spec

What we escape

  • ' single quote — doubled to '' (SQL standard)
  • \ backslash — for engines that treat it as an escape (MySQL default)
  • Control characters — \0 \n \r \t \b for MySQL strings

Use a parameterized query when you can

String escaping is a last resort. Parameter binding (?, $1, :name) is safer because the driver handles types and never inlines values into the SQL text.

You might also like