The way to do this while being safe against SQL injection is to have your values in an array - pass them as query parameters, and then construct your query with an interation over the size of the array, so you end up with whatever the mysql equivalent of this is: select field1 from table1 where ((field2 = @namedParameter1) or (field2 = @namedParameter2) or (field2 = @namedParameter3))