In code using legacy PDO-style statements, if you need to do something like an "IN" query using user-supplied data, you're in for danger if you don't parameterize them. PDO can handle the security if you do it right.

This way, you can still use an IN query, but without rolling-your-own parameterization system.

<?php
// User input
$userInputs = ['value1', 'value2', 'value3']; // Replace with actual user input

// Create an array of placeholders
$placeholders = array_fill(0, count($userInputs), '?');

// Convert the array of placeholders into a string
$placeholdersString = implode(',', $placeholders);

// Create the parameterized query
$query = "SELECT * FROM your_table WHERE your_column IN ($placeholdersString)";