[tbrownaw]

That's when you combine parameterized queries and concatenated SQL:

    sql = '... col_name IN ('
    foreach(var arg in args)
      if (!first)
        sql.append(', ')
      sql.append('?')
      params.add(arg)
    sql.append(')')