I believe the issue is that it attempts to bind it as a string. So in your first example, the query would come out as:
SELECT * FROM item WHERE id IN ('1,2,3,4,5');
Whereas in the second you’re injecting it directly. If you’re 100% sure items_id is safe, I suppose you could throw it in directly (I’ve done it a few times, only when I know that the param only contains a numeric set), otherwise perhaps you want to make use of the query builder. For instance, you could rewrite the above as: