String comparison in SQLite not working when string contains '&'

Question

I'm losing my mind. This query works fine (finds one matching record) when executed in SQLite Manager (FF plugin):

SELECT * FROM VendorDB WHERE lower(CompanyName) = 'b&b'

But this variablized SELECT statement (which is exactly the same as above when echo'd out) doesn't find anything.

SELECT * FROM VendorDB WHERE lower(CompanyName) = [vendor variable containing 'b&b]

When the string does not contain an '&' both queries work the same. I've googled all over and not been able to find anything about why the query shouldn't work consistently.

BTW, I'm using PHP:PDO to execute the query.

EDIT_1: Here's how the query is being handled (after implementing the suggestions from @Phil), where $dbh is the database connection:

$qry = "SELECT * FROM VendorDB WHERE lower(CompanyName) = ?"; 
//[$vendor is the variable containing 'b&b]


$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$go_fetch = $dbh->prepare($qry);
$go_fetch->bindParam(1,$vendor);
$go_fetch->execute();

and the results are retrieved as:

$go_fetch->setFetchMode(PDO::FETCH_ASSOC);
$data = $go_fetch->fetchAll();

All of which yields an empty array, but should yield one and only one record.

Also note that I've echo'd the value of the variable $vendor prior to being inserted into the query and it is the correct value (i.e. 'b&b' not 'b&b')

Answer 1

I've resolved the issue. It was a stupid error on my part, but memorializing the answer here in case its useful to someone else.

The problem was indeed that the '&' sign was being converted into '&'. (Thanks @CBroe for the clue!) It was hard to detect because it wasn't showing up in any of the browser output I was looking at (including viewing the page source).

Long ago and far away I had forgotten that I had set up a standard form-handling function to "cleanse" all POST data. One line in that function took each posted value and applied the htmlspecialchars() function to it. This converted the 'b&b' into 'b&b'. Great for the HTML echo'd output, not so good for database comparison strings.

For this particular application, if I do not apply the htmlspecialchars() everything works as expected, regardless of the way that PDO is implemented.

Lesson re-learned... never forget the "defaults" you establish!

Answer 2

As mentioned in my comment above, use a proper parameterised statement. For example...

$qry = "SELECT * FROM VendorDB WHERE lower(CompanyName) = ?"; 
$go_fetch = $dbh->prepare($qry);

Then, either pass the parameter in to the execute method

$go_fetch->execute([$vendor]);

or bind it first, then execute

$go_fetch->bindParam(1, $vendor);
$go_fetch->execute();

I doubt very much that the ampersand is causing any issues. I can't find any reference to it as an SQLite special character.

I'd say the issue is either that the value in fact contains b&b or that it contains other problem characters like '. The former indicates a problem with where and how the $vendor variable is set. The latter is solved by my answer above.