If MySQL supports the IN(..) idiom, you might want to use code such as:

SELECT * FROM CATALOG 
WHERE item_id IN (?, ?, ?, ...)
[download]

Up to your database's limit in the IN(...) clause (32 arguments for Oracle, IIRC). In your code, you could simply issue as many $sth->bind_param() as needed or call ->execute() with the required number of parameters.

In the case of Oracle, where I needed this for a different reason, the identical arguments to IN(..) were optimized away. I would expect the same from MySQL if this is supported.

Also do note that DBD::Oracle supports placeholders like :1, which refer to the first paramenter no matter how many times or where do they appear in your SQL. Check if DBD::MySQL also supports this.

If you definitely need to resort to "dynamic SQL", then by all means use ->quote(), as this will correctly quote whatever is passed to you, thus rendering most threats innefective. Another drawback of this, is that you lose the benefit of ->prepare().

Regards.