mysqli bind_param Number of variables doesn't match number of parameters in prepared statement

Question

I'm getting this error:

Warning: mysqli_stmt::bind_param(): Number of variables doesn't match number of parameters in prepared statement

code:

$stmt = $sql->prepare("SELECT name, site, message, `when` FROM messages WHERE message LIKE '%?%'");
$stmt->bind_param('s', $_GET['search']);
$stmt->execute();
$result = $stmt->get_result();

I'm trying to get the user input into the prepared statement.

This code works fine but is insecure against SQL injections:

$result = $sql->query("SELECT name, site, message, `when` FROM messages WHERE message LIKE '%" . $_GET['search'] . "%'");

Answer 1

When using LIKE in a prepared statement, it's a little bit different. You should add the % to the parameter before binding it to the statement.

Try something like below:

$param = "%{$_GET['search']}%";
$stmt = $sql->prepare("SELECT name, site, message, `when` FROM messages WHERE message LIKE ?");
$stmt->bind_param('s', $param);
$stmt->execute();
$result = $stmt->get_result();