cursor.execute("INSERT INTO table VALUES (%s, %s, %s)", (var1, var2, var3))
Note that hehe the parameters are passed as a tuple.
The database API does proper escaping and quoting of variables. Be careful not to use the string formatting operator (%), because
It does not do any escaping or quoting.
It is prone to Uncontrolled string format attacks e.g. SQL injection.
Enroll yourself in the SQL server certification to learn in-depth about SQL statements, queries and become proficient in SQL.