Doing that, using the same named place-holder more than once in a query, only works when using emulated prepared queries, which should be avoided, both because the operation of the emulator is not identical to a real prepared query, and if you haven’t set the character set when you make the database connection to match your database tables, you are still open to sql injection, defeating the main reason for using a prepared query in the first place.
This won’t work for the case of no place-holder in the query. However, supplying an array of the input values to the ->execute(…) call, does work when there are no place-holders in the query and the supplied array is empty. You would need to build the array of input parameters inside the conditional logic that’s also building the WHERE … part of the query, so that the array will be empty for the case of no WHERE clause.
The wild-card characters are part of the value, not the sql syntax and only the place-holder goes into the sql query statement, without any quotes around it.
While repetition should be avoided whenever possible, in this case, benefiting from using a true prepared query is worth it. array_fill() could be used to build an array with the repeated entries.