I know this has been said before but I'll write a note on it too because I think it's important to keep in mind:
If you use PDO bindParam to do a search with a LIKE condition you cannot put the percentages and quotes to the param placeholder '%:keyword%'.
This is WRONG:
"SELECT * FROM `users` WHERE `firstname` LIKE '%:keyword%'";
The CORRECT solution is to leave clean the placeholder like this:
"SELECT * FROM `users` WHERE `firstname` LIKE :keyword";
And then add the percentages to the php variable where you store the keyword:
$keyword = "%".$keyword."%";
And finally the quotes will be automatically added by PDO when executing the query so you don't have to worry about them.
So the full example would be:
<?php
$keyword = $_GET['keyword'];
$sth = $dbh->prepare('SELECT * FROM `users` WHERE `firstname` LIKE :keyword');
$keyword = "%".$keyword."%";
$sth->bindParam(':keyword', $keyword, PDO::PARAM_STR);
?>
