Properly escape IN clause

Author: c-w

services/features.js

@@ -32,7 +32,7 @@ function executeQuery(query, callback) {
 
 function getById(query, callback) {
     const ids = query.id.constructor === Array ? query.id : [query.id];
-    const getQuery = `SELECT ${buildQueryColumns(query)} FROM features WHERE id IN (${escapeSql(ids.join(','))})`;
+    const getQuery = `SELECT ${buildQueryColumns(query)} FROM features WHERE id IN (${ids.map(escapeSql).join(',')})`;
     executeQuery(getQuery, (err, rows) => {
         if (err) return callback(err);
         if (!rows || rows.length === 0) return callback(null, null);