No, don't use extra parameters. Use system.db.runPrepQuery() instead of system.db.runNamedQuery(). Generate the SQL with exactly the correct number of question marks inside the IN clause every time.
1 Like