//Split post by words and build the query
$words_query = "";
$words = split(' ', $_POST["search"]);
for ($i = 0; $i < count($words); $i++)
{
if ($words_query == "")
$words_query .= "WHERE field LIKE '%" . $words[$i] . "%'";
else
$words_query .= " OR field LIKE '%" . $words[$i] . "%'";
}
//Check here that words_query is valid
if ($words_query != "")
{
$result = mysql_query("SELECT * FROM table " . mysql_real_escape_string($words_query));
while($r=mysql_fetch_array($result))
{
//display results code
}
}
Be VERY carefuly about how you let your user interact with SQL through your site. The function mysql_real_escape_string() will remove any characters that they could use to maliciously affect your website and its data.
As a quick example with your original code, if someone set 'search' as "%'; DELETE * FROM table; --" all your data would have been cleared.