PHP

How to use a named and unnamed variable at the same time in PDO?

If I substitute variables in the query string, then everything naturally works, but from a security point of view, this is not correct:

//Так всё работает
$brand = implode(',',$brand);
$sql = "SELECT * FROM models WHERE category_id=$cat_id AND brand_id IN ($brand)";
$stmt = $pdo->prepare($sql);
$stmt->execute();

If I try to substitute a named and unnamed variable, then I immediately get errors:

//Так ошибки
$in  = str_repeat('?,', count($brand) - 1) . '?';
$sql = "SELECT * FROM models WHERE category_id= :cat_id AND brand_id IN ($in)";	
$stmt = $pdo->prepare($sql);
$stmt->execute(array('cat_id'=>$cat_id, $brand));

Moreover, if instead of :cat_id I set the variable directly, then it works, almost exactly what is needed, but still not that:

$in  = str_repeat('?,', count($brand) - 1) . '?';
$sql = "SELECT * FROM models WHERE category_id=$cat_id AND brand_id IN ($in)";
$stmt = $pdo->prepare($sql);
$stmt->execute($brand);

In general, I can not find a way to do both at the same time. Can you please tell me how this can be implemented?