fix: pass query_ids as parameter to prevent SQL injection

fix: pass query_ids as parameter to prevent SQL injection #29