I don't think you can avoid building the query dynamically, but you can still avoid SQL injection and the like.
import Control.Applicative ((<$), (<$>))
import Data.List (intersperse)
let query = "update questions set deleted = now() where question_id in ("
++ intersperse ',' ('?' <$ ids)
++ ")"
in run c query (toSql <$> ids)
Links to documentation for intersperse
, <$>
, <$
.