How to prevent SQL Injection via the array parameter? (CVE-2017-14069)

Hello, this page suggest that the sql_query

$r = sql_query("SELECT modcomment FROM users WHERE id IN (" . implode(", ", $_POST[usernw]) . ")")or sqlerr(__FILE__, __LINE__);

Code (SQL):

is vulnerable to a SQL injection "via the usernw array parameter to nowarn.php."

and the exploit is suggested:

POST nowarned=nowarned&usernw[]=(select*from(select sleep(10))x)

Code (markup):

Please how that sql_query should look like so it prevent the abuse?

 

I am thinking that "id" field will be a numeric field.

So instead of doing an implode inside the query itself, do a check before sending the data to the query, something like:

$d= $_POST['usernw'];
if( is_array($d) ){

foreach($d as $k=> $kk){
if( !is_numeric($kk) ){ unset( $d[$k] ); }
}

if( sizeof($d)>0 ){

$r = sql_query("SELECT modcomment FROM users WHERE id IN (" . implode(", ", $d) . ")") or sqlerr(__FILE__, __LINE__);

}//$d is empty after checks

}//POST is not array

 

Thank you, i have found one person would do it like this, turn:
$r = sql_query("SELECT modcomment FROM users WHERE id IN (" . implode(", ", $_POST[usernw]) . ")")or sqlerr(__FILE__, __LINE__);
into:
$r = sql_query("SELECT modcomment FROM users WHERE id IN (" . sqlesc(implode(", ", $_POST[usernw]) ). ")")or sqlerr(__FILE__, __LINE__);

that seems more simple than @JEET way.. feedback is welcome