How can I pass a variable to a WHERE clause using mysqli?

If you are using the same SQL code for every param, just create a hash of possible params: (CGI param name => table column name)

$params = array(    'first_name' => 'first_name',    'last_name' => 'last_name',);

It's much better from a security point of view as you are protected from SQL injection.

Then get the column name from the hash and put it into the query - and you'll get rid of the if-s:

$name = $params[$param];$sql = "SELECT * FROM tableWHERE $name LIKE ?";if($prep = $link->prepare($sql)){    $prep->bind_param('s', "%$search%");    ...

As @Akam said, no need to CONCAT("%", ?, "%") in the query - it's better to bind the value with percents right ahead.

According to this example in the PHP manual

http://www.php.net/manual/en/mysqli-stmt.bind-param.php#108790

You seem to be best to add the '%' to the string variable you are binding - rather than in the query e.g. in your example:

if($prep = $link->prepare('SELECT * FROM table                           WHERE first_name                           LIKE ?')){    $search='%'.$search.'%';    $prep->bind_param('s', $search);    $prep->execute();    $prep->bind_result($first_name, $last_name);    while($prep->fetch())        echo $first_name . ' ' . $last_name;    $prep->close(); }

Haven't tested it but it seems like a sensible solution.

You can't use placeholders for column names, so you'll have to concatenate the column names normally. However, instead of just escaping it with mysqli, because you have a limited set of columns I'd suggest a while list approach:

$allowed_params = array('first_name', 'last_name', etc);$param  = $_POST['param' ];$search = $_POST['search'];if(!in_array($param, $allowed_params))    die("Uh oh, the request seems to have an invalid param!");if($prep = $link->prepare('SELECT * FROM table                           WHERE ' . $param . '                           LIKE ?')){    $prep->bind_param('s', '%' . $search . '%');    $prep->execute();    $prep->bind_result($first_name, $last_name);    while($prep->fetch())        echo $first_name . ' ' . $last_name;    $prep->close();}else    echo 'Error while preparing statement.';

Also note the removal of the concat statement, and instead concatenating in PHP. This is important for prepared statements as once it gets to the server it's not actually combining them (thus the protection of prepared statements), so it won't work properly unless the wildcards are sent with the $search string.