Escape single quote character for use in an SQLite query

sql

sql-injection

prepared-statements

escape-sequences

byNikita Barsukov·Jan 15, 2025

To escape a single quote (') in an SQLite string, utilize two single quotes (''). So:

SELECT * FROM users WHERE bio = 'It''s a bird, it''s a plane, no it''s SQLite!'

This settles the confusion for SQLite, where it would think the end of string has been reached. Remember: Double the fun, double the quotes.

Special characters and literal values in SQLite

Escaping quotes for SQL literals

In SQL statements, literal values enclosed within single quotes often contain ' characters. To keep SQLite from tripping, just double the quote:

INSERT INTO famous_quotes (quote) VALUES ('He said, ''Hello, World!''');

It's like saying, "I'm quoting ''inside'' a quote." Inception, SQL-style!

BLOB literals and hexadecimal data

For hexadecimal data, SQLite has BLOB literals. A leading x or X followed by single-quoted hex data is the rule:

INSERT INTO table (blob_column) VALUES (X'536F6D65');

The X says, "Here comes some hex!". It's like hex-data-superhero!

Handling NULL values

To insert a NULL value, just use the keyword without the quotes:

INSERT INTO table (column) VALUES (NULL);

NULL, the ghost value. It's there but it's also not there. Balancing the Tao in SQL.

Securing and priming your SQLite queries

Preventing SQL injection

Double escaping quotes is a great step against SQL injection. Better yet, use parameterized queries:

-- Say NO to injection, yes to clean SQL. Safety first!
INSERT INTO users (username, password) VALUES (?, ?);

Also, sanitize user input before constructing your SQL queries. SQL: "Cleanliness is next to godliness."

Handling DBNull and object conversion

With languages such as C# or Java, ensure DBNull values are correctly converted. Because NULL in SQL is like a hole in a donut - you don't see it, but it's still there!

Pre-processing in client languages

In Python or JavaScript, replace single quotes (') before building your SQL query:

# Python says, "Don't worry, I've got your back...slash."
safe_string = input_str.replace("'", "''")

But remember, it's not a substitute for prepared statements. Like a cherry on top - nice, but not the cake!

Diverse scenarios and problems you may encounter

Correctly escaping within strings

Account for all places where single quotes might appear:

-- Using ' won't cut it:
SELECT * FROM books WHERE title = 'Children's Literature';

-- But '' will:
SELECT * FROM books WHERE title = 'Children''s Literature';

Beware of non-standard escape sequences

Unlike other databases, SQLite doesn't play well with backslash \ escapes. So remember, backslashes are to SQLite what kryptonite is to Superman!

Pasting text into SQLite

When copying text into an SQLite query, beware of curly quotes. Only straight quotes get a pass:

-- Curly quotes, the unwanted guest:
INSERT INTO table (column) VALUES (‘Incorrect’);

-- Straight quotes, the preferred kind:
INSERT INTO table (column) VALUES ('Correct');

Streamlining complex queries

For long or complex queries, use concatenated strings or text editors with SQL support to do the heavy lifting:

-- This is like a partition in partition match. Quotception!
SELECT * FROM authors WHERE bio LIKE '%''s%';

explain-codes / Sql / Escape single quote character for use in an SQLite query

Linked

Sql standard to escape column names?



What SQLite column name can be/cannot be?



Inserting text string with hex into PostgreSQL as a bytea



What are valid table names in SQLite?



What is the difference between single and double quotes in SQL?



Insert text with single quotes in PostgreSQL



Can't see MySQL BIT field value when using SELECT



Special characters and literal values in SQLite Securing and priming your SQLite queries Diverse scenarios and problems you may encounter