from Stack Overflow
Here is a similar solution which I think is more efficient in building up the list of %s strings in the SQL:
format_strings = ','.join(['%s'] * len(list_of_ids))
cursor.execute("DELETE FROM foo.bar WHERE baz IN (%s)" % format_strings,
tuple(list_of_ids))That way you avoid having to quote yourself, and avoid all kinds of sql injection.
这个防注入的方法利用了tuple和format_strings