For VQL questions, ask the publisher of VQL, or read the documentation.
The documentation says it is a "SQL-like" language.
Popular databases don't even follow current standards exactly. Let alone a "SQL-like" language.
And passing a SQL query in a POST from a browser is completely insecure.
IN() is just a shortcut way of writing a string or ORs.
Just took a look, and VQL does not support the standard IN(). It uses it's own invention, CONTAINS().
Don't make the assumption that non-standard languages follow standards.
I'm aghast if a drug company has an API that lets you query a database from a browser using a "SQL-like" language. I'm sure they meant it to be used from a server program, not from a browser!
Even so, if you write a server program, use bound variables, rather than constructing a SQL statement by pasting-in values. It is NOT secure from hacking by constructing clever values! Any C-grade hacker can figure this out.