diff --git bp-core/bp-core-classes.php bp-core/bp-core-classes.php
index d2c18ba..b885a6a 100644
--- bp-core/bp-core-classes.php
+++ bp-core/bp-core-classes.php
@@ -318,7 +318,10 @@ class BP_User_Query {
 		// To avoid global joins, do a separate query
 		// @todo remove need for bp_is_active() check
 		if ( false !== $search_terms && bp_is_active( 'xprofile' ) ) {
-			$found_user_ids = $wpdb->get_col( $wpdb->prepare( "SELECT user_id FROM {$bp->profile->table_name_data} WHERE value LIKE %s", '%%' . like_escape( $search_terms ) . '%%' ) );
+			$search_terms_clean = mysql_real_escape_string( mysql_real_escape_string( $search_terms ) );
+			$search_terms_clean = like_escape( $search_terms_clean );
+			$found_user_ids_query = "SELECT user_id FROM {$bp->profile->table_name_data} WHERE value LIKE '%" . $search_terms_clean . "%'";
+			$found_user_ids = $wpdb->get_col( $found_user_ids_query );
 
 			if ( ! empty( $found_user_ids ) ) {
 				$sql['where'][] = "u.{$this->uid_name} IN (" . implode( ',', wp_parse_id_list( $found_user_ids ) ) . ")";
diff --git tests/testcases/core/classes.php tests/testcases/core/classes.php
new file mode 100644
index 0000000..6c772c9
--- /dev/null
+++ tests/testcases/core/classes.php
@@ -0,0 +1,76 @@
+<?php
+/**
+ * @group core
+ */
+class BP_Tests_Core_Classes extends BP_UnitTestCase {
+	protected $old_current_user = 0;
+
+	public function setUp() {
+		parent::setUp();
+	}
+
+	public function tearDown() {
+		parent::tearDown();
+	}
+
+	/**
+	 * Mark a user as active
+	 *
+	 * Users only show up in directories if marked as active in the database
+	 */
+	public function create_active_user() {
+		$user_id = $this->factory->user->create( array( 'role' => 'subscriber' ) );
+		bp_update_user_meta( $user_id, 'last_activity', bp_core_current_time() );
+		return $user_id;
+	}
+
+	public function test_bp_user_query_search_with_apostrophe() {
+		// Apostrophe. Search_terms must escaped to mimic POST payload
+		$user_id = $this->create_active_user();
+		xprofile_set_field_data( 1, $user_id, "Foo'Bar" );
+		$q = new BP_User_Query( array( 'search_terms' => "oo\'Ba", ) );
+
+		$found_user_id = null;
+		if ( ! empty( $q->results ) ) {
+			$found_user = array_pop( $q->results );
+			$found_user_id = $found_user->ID;
+		}
+
+		$this->assertEquals( $user_id, $found_user_id );
+	}
+
+	public function test_bp_user_query_search_with_percent_sign() {
+
+		// LIKE special character: %
+		$user_id = $this->create_active_user();
+		xprofile_set_field_data( 1, $user_id, "Foo%Bar" );
+		$q = new BP_User_Query( array( 'search_terms' => "oo%Bar", ) );
+
+		$found_user_id = null;
+		if ( ! empty( $q->results ) ) {
+			$found_user = array_pop( $q->results );
+			$found_user_id = $found_user->ID;
+		}
+
+		$this->assertEquals( $user_id, $found_user_id );
+
+	}
+
+	public function test_bp_user_query_search_with_underscore() {
+
+		// LIKE special character: _
+		$user_id = $this->create_active_user();
+		xprofile_set_field_data( 1, $user_id, "Foo_Bar" );
+		$q = new BP_User_Query( array( 'search_terms' => "oo_Bar", ) );
+
+		$found_user_id = null;
+		if ( ! empty( $q->results ) ) {
+			$found_user = array_pop( $q->results );
+			$found_user_id = $found_user->ID;
+		}
+
+		$this->assertEquals( $user_id, $found_user_id );
+
+	}
+}
+