from Stack Overflow

Here is a similar solution which I think is more efficient in building up the list of %s strings in the SQL:

format_strings = ','.join(['%s'] * len(list_of_ids))
cursor.execute("DELETE FROM foo.bar WHERE baz IN (%s)" % format_strings,
                tuple(list_of_ids))

That way you avoid having to quote yourself, and avoid all kinds of sql injection.

这个防注入的方法利用了tuple和format_strings