I get that the LIKE is to match date times regardless of seconds values.
The syntax doesn't look right to me, though I may be thinking more of problems I've encountered doing similar with prepared statements.
In particular, I have a feeling "
$date%" should be more like "
$date . '%'"
I'm also thinking that a MySQL datetime function could be used to advantage here, but because I have never needed to disregard seconds I can't think of how that could be done if it is a possibility.
I agree that this is a good rule of thumb and best practice. And a definate when a query involves user supplied input. But because this query is using script supplied values I think it should be relatively safe as far as security risk goes. What would be more of a concern is ensuring data integrity. Perhaps not an issue for SELECT queries, but yes, prepared statements are the way to go even if not absolutely needed. Once using them becomes a routine habit a slip up won't bite.