You mentioned two parameters (with the same name) for the prepare statement, yet you supply a value for the first parameter only (that's what the error was about).
Not quite sure how PDO internally solved the same-parameter-name issue, but you can always avoid that.
Two possible solutions:
$sql = "select * from $table ".
"where "
"first_name like concat('%', :fname, '%') or ".
"last_name like concat('%', :lname, '%')";
$stmt= $DBH->prepare($sql);
$stmt->bindValue(':fname', $string, PDO::PARAM_STR);
$stmt->bindValue(':lname', $string, PDO::PARAM_STR);
$sql = "select * from $table ".
"where "
"first_name like concat('%', ?, '%') or ".
"last_name like concat('%', ?, '%')";
$stmt= $DBH->prepare($sql);
$stmt->bindValue(1, $string, PDO::PARAM_STR);
$stmt->bindValue(2, $string, PDO::PARAM_STR);
By the way, the existing way you have done still has SQL injection issues.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…