You cannot bind this way. Think of what the statement is doing, it is preparing the statement, and then providing "an" argument. When you say
, that is a single parameter, and if you were to implode an array it would still be a string.
To bind using a prepared statement and an IN clause, you need to assemble the string first and then execute it. Fortunately, PDO does allow an array of bind unlike the MySQLi which does not (so its easier in PDO statements to do this).
$aIds = array_keys($_SESSION['cart']);
$sPlaceholders = implode(', ', array_fill(0, count($aIds), '?')); // or use a string assembling
$query = $conn->prepare("SELECT id,make,model,price,availability,category,photo FROM products WHERE id IN ($sPlaceholders)");
Assuming that $_SESSION['cart'] uses the keys for the id to check the IN for.