What characters are NOT escaped with a mysqli prepared statement?

Question

I\'m trying to harden some of my PHP code and use mysqli prepared statements to better validate user input and prevent injection attacks.

I switched away from mysql

Answer 1

You are confusing two different levels of evaluation here.

The LIKE operator takes a string and evaluates any '%' and '_' as placeholders.

The job of query parameters is it only to bring values (e.g. strings) verbatim to the database engine, so they cannot be mistaken for SQL code. They don't care how the LIKE operator makes special use of certain characters within the string they've just transported. Everything just works as designed here.

If you want exact matches, use the = operator in place of LIKE.

If you must use LIKE (even though your LIMIT 1 indicates otherwise here), escape the the special characters accordingly yourself beforehand.