'; // server-side: assume retrieval of form search input value $search_term = !empty($_GET['query']) ? $_GET['query'] : NULL; // try to escape the input before querying, but we fail to escape the qualifier // and it remains "%slow_your_db" $search_term = mysql_real_escape_string($search_term); // perform a query which will skip all indexing you may have, slowing // your queries to a hault on a large database (DoS attack) mysql_query("SELECT * FROM my_table WHERE query LIKE '{$search_term}%'");