Here's how you properly fetch the result

以下是正确获取结果的方法

$param = "%{$_POST['user']}%";
$stmt = $db->prepare("SELECT id,Username FROM users WHERE Username LIKE ?");
$stmt->bind_param("s", $param);
$stmt->execute();
$stmt->bind_result($id,$username);

while ($stmt->fetch()) {
  echo "Id: {$id}, Username: {$username}";
}

or you can also do:

或者你也可以这样做：

$param = "%{$_POST['user']}%";
$stmt = $db->prepare("SELECT id,Username FROM users WHERE Username LIKE ?");
$stmt->bind_param("s", $param);
$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_array(MYSQLI_NUM)) {
  foreach ($row as $r) {
    print "$r ";
  }
  print "\n";
}

I hope you realise I got the answer directly from the manual hereand here, which is where you should've gone first.

我希望你意识到我直接从这里和这里的手册中得到了答案，这是你应该首先去的地方。

Updated

更新

From comments it is found that LIKE wildcard characters (_and %) are not escaped by default on Paramaterised queries and so can cause unexpected results.

从评论中发现 LIKE 通配符 (_和%) 默认情况下不会在参数化查询中进行转义，因此可能会导致意外结果。

Therefore when using "LIKE" statements, use this 'negative lookahead'Regex to ensure these characters are escaped :

因此，当使用“LIKE”语句时，请使用这个“负前瞻”正则表达式来确保这些字符被转义：

$param = preg_replace('/(?<!\\)([%_])/', '\$1',$param);

As an alternative to the given answer above you can also use the MySQL CONCATfunction thus:

作为上述给定答案的替代方案，您还可以使用 MySQL CONCAT函数，因此：

$stmt = $db->prepare("SELECT id,Username FROM users WHERE Username LIKE CONCAT('%',?,'%') ");
$stmt->bind_param("s", $param);
$stmt->execute();

Which means you do not need to edit your $paramvalue but does make for slightly longer queries.

这意味着您不需要编辑您的$param值，但确实需要稍长的查询。