Description:
------------
There seems to be no simple way of using prepared statements in queries where "field IN (values)" is used.
Currently PDOStatement::execute doesn't handle it well if you give it an array as a value. If it could convert that array to comma-separated values instead, that would solve the issue. I'd like the test script below to work when this is implemented.

It's not only a matter of convenience. SQL injection attacks happen because of this.

I've implemented this in PHP code and it's not difficult. But it would be much better if the language supported this. People recommend implode and array_fill or str_repeat for generating question marks but that approach is not only ugly but named parameters can't be used in the same query.

I'm not the first to have this idea but I'm bringing it up because I can't find an answer to why this is not implemented.

Test script:
---------------
<?php
$db = new \PDO('mysql:host=host;dbname=db', 'user', 'pass');
$res = $db->prepare(
    'SELECT `name` FROM `table` WHERE `id` IN :ids AND `foo` = :bar'
);
$res->execute([
    'ids' => [3, 2, 1],
    'bar' => 'bar'
]);
var_dump($res->fetch());


Actual result:
--------------
Array to string conversion on line 9