Parameterize primary key values in DELETE query construction

The DELETE path selects primary key values and then uses them in a
DELETE ... WHERE pk IN (...) query. Previously, the values were
interpolated directly via implode(). While the values come from the
database (not user input), they could be non-integer types (e.g.,
VARCHAR primary keys), which would produce broken SQL. Use bound
parameters instead.

Author: JanJakes

wp-includes/sqlite/class-wp-sqlite-translator.php

@@ -1494,12 +1494,13 @@ private function execute_delete() {
 
 		$quoted_table = $this->quote_identifier( $this->table_name );
 		$quoted_pk    = $this->quote_identifier( $pk_name );
-		$query        = (
-		count( $ids_to_delete )
-			? "DELETE FROM {$quoted_table} WHERE {$quoted_pk} IN (" . implode( ',', $ids_to_delete ) . ')'
-			: "DELETE FROM {$quoted_table} WHERE 0=1"
-		);
-		$this->execute_sqlite_query( $query );
+		if ( count( $ids_to_delete ) ) {
+			$placeholders = implode( ',', array_fill( 0, count( $ids_to_delete ), '?' ) );
+			$stmt         = $this->execute_sqlite_query( "DELETE FROM {$quoted_table} WHERE {$quoted_pk} IN ({$placeholders})" );
+			$stmt->execute( $ids_to_delete );
+		} else {
+			$this->execute_sqlite_query( "DELETE FROM {$quoted_table} WHERE 0=1" );
+		}
 		$this->set_result_from_affected_rows(
 			count( $ids_to_delete )
 		);