Fixed IN db queries (#9077)

Most were fine as they hardcoded the in into the query.
Change them all to use PDO properly.
Did not fix IRCBot, they are are all hardcoded.

DO NOT DELETE THIS TEXT

#### Please note

> Please read this information carefully. You can run `./scripts/pre-commit.php` to check your code before submitting.

- [x] Have you followed our [code guidelines?](http://docs.librenms.org/Developing/Code-Guidelines/)

#### Testers

If you would like to test this pull request then please run: `./scripts/github-apply <pr_id>`, i.e `./scripts/github-apply 5926`

html/includes/api_functions.inc.php

@@ -1029,20 +1029,21 @@ function list_alerts()
     check_is_read();
     $app    = \Slim\Slim::getInstance();
     $router = $app->router()->getCurrentRoute()->getParams();
+
+    $sql = "SELECT `D`.`hostname`, `A`.*, `R`.`severity` FROM `alerts` AS `A`, `devices` AS `D`, `alert_rules` AS `R` WHERE `D`.`device_id` = `A`.`device_id` AND `A`.`rule_id` = `R`.`id` AND `A`.`state` IN ";
     if (isset($_GET['state'])) {
-        $param = array(mres($_GET['state']));
+        $param = explode(',', $_GET['state']);
     } else {
-        $param = array('1');
+        $param = [1];
     }
+    $sql .= dbGenPlaceholders(count($param));
 
-    $sql = '';
     if (isset($router['id']) && $router['id'] > 0) {
-        $alert_id = mres($router['id']);
-        $sql      = 'AND `A`.id=?';
-        array_push($param, $alert_id);
+        $param[] = $router['id'];
+        $sql .= 'AND `A`.id=?';
     }
 
-    $alerts       = dbFetchRows("SELECT `D`.`hostname`, `A`.*, `R`.`severity` FROM `alerts` AS `A`, `devices` AS `D`, `alert_rules` AS `R` WHERE `D`.`device_id` = `A`.`device_id` AND `A`.`rule_id` = `R`.`id` AND `A`.`state` IN (?) $sql", $param);
+    $alerts = dbFetchRows($sql, $param);
     api_success($alerts, 'alerts');
 }