Description:
------------
PHP 7.4 unbundled the SQLite library, so benefits from how it was compiled on the system. Many systems (Mac OSX, Debian, Ubuntu, and others) compile it with SQLITE_MAX_VARIABLE_NUMBER=250000 or larger (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717900).

PHP 7.3 doesn't specify the flag (https://github.com/php/php-src/blob/PHP-7.3/ext/sqlite3/config0.m4#L80), so gets the low default of 999 (https://www.sqlite.org/limits.html#max_variable_number).

It would be helpful if PHP 7.3 could match the Debian number, to make the test script work.

SQLite sets the default so low in order to prevent SQL injection attacks from allocating excessive memory on low memory embedded systems (https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg119067.html). However, I don't think PHP is used on such systems, and a SQL injection attack in a PHP application can already do far more harm than merely allocating 18MB of memory (72 bytes * 250000).

I also filed a similar issue for Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=1798134).

Test script:
---------------
$large_array = range(0, 1000);

$db = new PDO('sqlite::memory:');
$placeholders = implode(', ', array_fill(0, count($large_array), '?'));
$stmt = $db->prepare("SELECT 1 WHERE 42 IN ($placeholders)");
var_dump($stmt->execute($large_array));


Expected result:
----------------
It should output "bool(true)", indicating that the execute() statement executed. 

Actual result:
--------------
It outputs nothing, because the execute() statement passes more arguments than the 999 limit.