- $comments_in = implode( "', '", $comments );
- $wpdb->query( "UPDATE $wpdb->comments SET comment_approved = '$status' WHERE comment_ID IN ('" . $comments_in . "')" );
+ }
+ $comments_in = implode( ', ', array_map( 'intval', $comments ) );
+ $wpdb->query( $wpdb->prepare( "UPDATE $wpdb->comments SET comment_approved = %s WHERE comment_ID IN ($comments_in)", $status ) );