I know this has been said before but I'll write a note on it too because I think it's important to keep in mind:



If you use PDO bindParam to do a search with a LIKE condition you cannot put the percentages and quotes to the param placeholder '%:keyword%'.



This is WRONG:

"SELECT * FROM `users` WHERE `firstname` LIKE '%:keyword%'";



The CORRECT solution is to leave clean the placeholder like this:

"SELECT * FROM `users` WHERE `firstname` LIKE :keyword";



And then add the percentages to the php variable where you store the keyword:

$keyword = "%".$keyword."%";



And finally the quotes will be automatically added by PDO when executing the query so you don't have to worry about them.



So the full example would be:

<?php

$keyword = $_GET [ 'keyword' ];

$sth = $dbh -> prepare ( 'SELECT * FROM `users` WHERE `firstname` LIKE :keyword' );

$keyword = "%" . $keyword . "%" ;

$sth -> bindParam ( ':keyword' , $keyword , PDO :: PARAM_STR );

?>