I read a comment at php.net:
Although
bindValue()escapes quotes it does not escape "%" and "_", so be careful when usingLIKE. A malicious parameter full of %%% can dump your entire database if you don't escape the parameter yourself. PDO does not provide any other escape method to handle it.
So is it really doesn't escape the % and _ ? What could be the best solution for this?
As the comment says, it's really only an issue for LIKE queries.
It depends on your database on how you have to escape those values. If normal backslash escaping works (as in MySQL), then use:
$like = addcslashes($like, "%_");
Alternatively it's probably best to be lazy and just strip those meta characters out:
$like = strtr($like, "%_", " ");