If someone passes a '%' to a field that compares in my sql with su.username LIKE CONCAT('%', email ,'%')) it returns all rows. It ends up looking like su.username LIKE CONCAT('%%%'). Can I get around this in anyway without filtering out the '%'?

I'm assuming you mean you want to escape the % so it matches a literal % instead of anything.

In that case, you just need:

... su.username LIKE CONCAT('%',REPLACE(email,'%','\\%'),'%')

You need to escape the %, so it literally matches '%'

select * from mytable
where mycol like '%\%%';