Add the quotes into the implode call: (I’m assuming you meant implode)
$SQL = 'DELETE FROM elements
WHERE id IN ("' . implode('", "', $elements) . '")';
This produces:
DELETE FROM elements WHERE id IN ("foo", "bar", "tar", "dar")
The best way to prevent against SQL injection is to make sure your elements are properly escaped.
An easy thing to do that should work (but I haven’t tested it) is to use either array_map or array_walk, and escape every parameter, like so:
$elements = array();
$elements = array_map( 'mysql_real_escape_string', $elements);