fix: prevent SQL injection in Query Builder deleteBatch()

[gr8man]

Description
This PR addresses an SQL Injection vulnerability within the _deleteBatch() method of the Database Query Builder.

Previously, when converting binds in the WHERE clause during a deleteBatch operation, the str_replace() function injected the raw $bind[0] value directly into the condition string without properly escaping it. If user input was passed to a where() clause prior to executing deleteBatch(), it could lead to SQL Injection.

This fix ensures that the bound values are properly sanitized via $this->db->escape() (if escaping is enabled for the specific bind) before replacing the bind markers. The fix has been implemented across the BaseBuilder, Postgre\Builder, and OCI8\Builder drivers.

A security regression test (testDeleteBatchSQLInjection) has been added to ensure that malicious SQL payloads are properly escaped when building batch deletion queries.

Checklist:

• Securely signed commits
• Component(s) with PHPDoc blocks, only if necessary or adds value (without duplication)
• Unit testing, with >80% coverage
• User guide updated

[mergeable]

Hi there, gr8man! 👋

Thank you for sending this PR!

We expect the following in all Pull Requests (PRs).

• PRs must be sent to the appropriate branch
• All git commits must be GPG-signed
• Must follow our style guide
• Be commented in the PHP source file
• Be documented in the user guide
• Be unit tested
• Pass all checks in GitHub Actions

Important

We expect all code changes or bug-fixes to be accompanied by one or more tests added to our test suite to prove the code works.

If pull requests do not comply with the above, they will likely be closed. Since we are a team of volunteers, we don't have any more time to work
on the framework than you do. Please make it as painless for your contributions to be included as possible.

See https://github.com/codeigniter4/CodeIgniter4/blob/develop/contributing/pull_request.md

Sincerely, the mergeable bot 🤖