Concur. Just say no to QueryString parameters. Besides, you can pass arrays to "Prep" queries if you have a competent database and JDBC drivers.
In this case, the PostgreSQL syntax for runPrepQuery
would look like this:
SELECT * FROM some_table WHERE some_column = ANY (?)