'; // server-side: assume retrieval of form search input value $search_term = !empty($_GET['query']) ? $_GET['query'] : NULL; // escape the input before querying, term remains "%slow_your_db" $search_term = mysql_real_escape_string($search_term); // additionally add slashes to escape the qualifiers % and _ $search_term = addcslashes($search_term, "%_"); // perform the safe query with escaped % and _ quantifiers mysql_query("SELECT * FROM my_table WHERE query LIKE '{$search_term}%'");