themeum · shewa12 · Mar 30, 2026 · Mar 13, 2026 · Mar 13, 2026
diff --git a/classes/QuizBuilder.php b/classes/QuizBuilder.php
@@ -301,16 +301,16 @@ public function handle_delete( $deleted_question_ids = array(), $deleted_answer_
 		$deleted_answer_ids   = array_filter( $deleted_answer_ids, 'is_numeric' );
 
 		if ( count( $deleted_question_ids ) ) {
-			$id_str = QueryHelper::prepare_in_clause( $deleted_question_ids );
-            //phpcs:ignore -- sanitized $id_str.
-            $wpdb->query( "DELETE FROM {$wpdb->prefix}tutor_quiz_questions WHERE content_id IS NULL AND question_id IN (" . $id_str . ')' );
+			$in_clause = QueryHelper::prepare_in_clause( $deleted_question_ids );
+            //phpcs:ignore -- sanitized $in_clause.
+            $wpdb->query( $wpdb->prepare(  "DELETE FROM {$wpdb->prefix}tutor_quiz_questions WHERE content_id IS NULL AND question_id IN ({$in_clause})" ) );
 			do_action( 'tutor_deleted_quiz_question_ids', $deleted_question_ids );
 		}
 
 		if ( count( $deleted_answer_ids ) ) {
-			$id_str = QueryHelper::prepare_in_clause( $deleted_answer_ids );
-            //phpcs:ignore -- sanitized $id_str.
-            $wpdb->query( "DELETE FROM {$wpdb->prefix}tutor_quiz_question_answers WHERE answer_id IN (" . $id_str . ')' );
+			$in_clause = QueryHelper::prepare_in_clause( $deleted_answer_ids );
+            //phpcs:ignore -- sanitized $in_clause.
+            $wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->prefix}tutor_quiz_question_answers WHERE answer_id IN ({$in_clause})" ) );
 		}
 	}
 
@@ -430,6 +430,5 @@ public function ajax_quiz_builder_save() {
 		} else {
 			$this->json_response( __( 'Error', 'tutor' ), $result->errors, HttpHelper::STATUS_BAD_REQUEST );
 		}
-
 	}
 }
diff --git a/classes/Tutor.php b/classes/Tutor.php
@@ -12,6 +12,7 @@
 
 use Tutor\Models\CourseModel;
 use Tutor\Ecommerce\Ecommerce;
+use Tutor\Helpers\QueryHelper;
 use Tutor\Migrations\Migration;
 use Tutor\TemplateImport\TemplateImportInit;
 
@@ -1131,7 +1132,7 @@
 		/**
 		 * Add Instructor role to administrator
 		 */
 		if ( current_user_can( 'administrator' ) ) {
 			tutor_utils()->add_instructor_role( get_current_user_id() );
 		}
 	}
@@ -1359,8 +1360,8 @@
 				'tutor_announcements',
 			);
 
-			$post_type_strings = "'" . implode( "','", $post_types ) . "'";
-			$tutor_posts       = $wpdb->get_col( "SELECT ID from {$wpdb->posts} WHERE post_type in({$post_type_strings}) ;" ); //phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+			$in_clause   = QueryHelper::prepare_in_clause( $post_types );
+			$tutor_posts = $wpdb->get_col( $wpdb->prepare( "SELECT ID from {$wpdb->posts} WHERE post_type IN({$in_clause}) ;" ) ); //phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
 
 			if ( is_array( $tutor_posts ) && count( $tutor_posts ) ) {
 				foreach ( $tutor_posts as $post_id ) {
@@ -1385,10 +1386,10 @@
 			/**
 			 * Deleting Comments (reviews, questions, quiz_answers, etc)
 			 */
-			$tutor_comments       = $wpdb->get_col( "SELECT comment_ID from {$wpdb->comments} WHERE comment_agent = 'comment_agent' ;" );
-			$comments_ids_strings = "'" . implode( "','", $tutor_comments ) . "'";
+			$tutor_comments = $wpdb->get_col( "SELECT comment_ID from {$wpdb->comments} WHERE comment_agent = 'comment_agent' ;" );
 			if ( is_array( $tutor_comments ) && count( $tutor_comments ) ) {
-				$wpdb->query( "DELETE from {$wpdb->commentmeta} WHERE comment_ID in({$comments_ids_strings}) " ); //phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+				$in_clause = QueryHelper::prepare_in_clause( $tutor_comments );
+				$wpdb->query( $wpdb->prepare( "DELETE from {$wpdb->commentmeta} WHERE comment_ID in({$in_clause}) " ) ); //phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
 			}
 			$wpdb->delete( $wpdb->comments, array( 'comment_agent' => 'comment_agent' ) );
 

diff --git a/helpers/QueryHelper.php b/helpers/QueryHelper.php
@@ -41,7 +41,7 @@
 		);

 		if ( $wpdb->last_error ) {
 			throw new \Exception( $wpdb->last_error );
 		}

 		return $insert ? $wpdb->insert_id : 0;
@@ -144,7 +144,7 @@
 		$wpdb->query( "DELETE FROM {$table} WHERE id IN ( $ids )");

 		if ( $wpdb->last_error ) {
 			throw new \Exception( $wpdb->last_error );
 		}

 		return true;
@@ -229,7 +229,7 @@

 		// If error occurred then throw new exception.
 		if ( $wpdb->last_error ) {
 			throw new \Exception( $wpdb->last_error );
 		}

 		if ( $return_ids ) {
@@ -482,9 +482,9 @@
 		$ids = $wpdb->get_col( "SELECT comment_id FROM {$wpdb->comments} WHERE {$where}" );//phpcs:ignore
 
 		if ( is_array( $ids ) && count( $ids ) ) {
-			$ids_str = "'" . implode( "','", $ids ) . "'";
+			$in_clause = self::prepare_in_clause( $ids );
 			// delete comment metas.
-			$wpdb->query( "DELETE FROM {$wpdb->commentmeta} WHERE comment_id IN({$ids_str}) " );//phpcs:ignore
+			$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->commentmeta} WHERE comment_id IN({$in_clause}) " ) );//phpcs:ignore
 			// delete comment.
 			$wpdb->query( "DELETE FROM {$wpdb->comments} WHERE {$where}" );//phpcs:ignore
 
@@ -514,9 +514,9 @@
 		$ids = $wpdb->get_col( "SELECT id FROM {$wpdb->posts} WHERE {$where}" );//phpcs:ignore
 
 		if ( is_array( $ids ) && count( $ids ) ) {
-			$ids_str = "'" . implode( "','", $ids ) . "'";
+			$in_clause = self::prepare_in_clause( $ids );
 			// delete post metas.
-			$wpdb->query( "DELETE FROM {$wpdb->postmeta} WHERE post_id IN({$ids_str}) " );//phpcs:ignore
+			$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->postmeta} WHERE post_id IN({$in_clause}) " ) );//phpcs:ignore
 			// delete post.
 			$wpdb->query( "DELETE FROM {$wpdb->posts} WHERE {$where}" );//phpcs:ignore
 

diff --git a/models/CourseModel.php b/models/CourseModel.php
@@ -506,9 +506,9 @@
 
 						$questions_ids = $wpdb->get_col( $wpdb->prepare( "SELECT question_id FROM {$wpdb->prefix}tutor_quiz_questions WHERE quiz_id = %d ", $content_id ) );
 						if ( is_array( $questions_ids ) && count( $questions_ids ) ) {
-							$in_question_ids = "'" . implode( "','", $questions_ids ) . "'";
+							$in_clause = QueryHelper::prepare_in_clause( $questions_ids );
 							//phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
-							$wpdb->query( "DELETE FROM {$wpdb->prefix}tutor_quiz_question_answers WHERE belongs_question_id IN({$in_question_ids}) " );
+							$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->prefix}tutor_quiz_question_answers WHERE belongs_question_id IN({$in_clause}) " ) );
 						}
 						$wpdb->delete( $wpdb->prefix . 'tutor_quiz_questions', array( 'quiz_id' => $content_id ) );
 					}
@@ -671,7 +671,7 @@
 		);

 		// Check if the current user is an admin.
 		if ( ! current_user_can( 'administrator' ) ) {
 			$args['author'] = $current_user->ID;
 		}

@@ -1108,7 +1108,7 @@
 			),
 		);

 		$courses = current_user_can( 'administrator' ) ? self::get_courses() : self::get_courses_by_instructor();
 		if ( ! empty( $courses ) ) {
 			foreach ( $courses as $course ) {
 				$course_options[] = array(

diff --git a/models/QuizModel.php b/models/QuizModel.php
@@ -446,7 +446,7 @@ public static function get_quiz_attempts( $start = 0, $limit = 10, $search_filte
 	}
 
 	/**
-	 * Delete quizattempt for user
+	 * Delete quiz attempt for user
 	 *
 	 * @since 1.9.5
 	 *
@@ -457,17 +457,15 @@ public static function get_quiz_attempts( $start = 0, $limit = 10, $search_filte
 	public static function delete_quiz_attempt( $attempt_ids ) {
 		global $wpdb;
 
-		// Singlular to array.
+		// Singular to array.
 		! is_array( $attempt_ids ) ? $attempt_ids = array( $attempt_ids ) : 0;
 
 		if ( count( $attempt_ids ) ) {
-			$attempt_ids = implode( ',', $attempt_ids );
+			$attempt_ids = QueryHelper::prepare_in_clause( $attempt_ids );
 
-			//phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
 			// Deleting attempt (comment), child attempt and attempt meta (comment meta).
-			$wpdb->query( "DELETE FROM {$wpdb->prefix}tutor_quiz_attempts WHERE attempt_id IN($attempt_ids)" );
-			$wpdb->query( "DELETE FROM {$wpdb->prefix}tutor_quiz_attempt_answers WHERE quiz_attempt_id IN($attempt_ids)" );
-			//phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+			$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->prefix}tutor_quiz_attempts WHERE attempt_id IN({$attempt_ids})" ) ); //phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+			$wpdb->query( $wpdb->prepare( "DELETE FROM {$wpdb->prefix}tutor_quiz_attempt_answers WHERE quiz_attempt_id IN({$attempt_ids})" ) ); //phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared
 
 			do_action( 'tutor_quiz/attempt_deleted', $attempt_ids );
 		}