不要通过字符串格式进行SQL查询，请使用驱动程序的功能来准备SQL查询并将参数传递到查询中-这样，您可以避免SQL注入，并且可以透明处理不同类型的传递参数:

Don't make your SQL queries via string formatting, use the driver's ability to prepare SQL queries and pass parameters into the query - this way you would avoid SQL injections and it would make handling of passing parameters of different types transparent:

query = """
    INSERT INTO 
        db.{table} 
    SELECT DISTINCT
        latitude, longitude, port 
    FROM 
        MessageType1 
    WHERE 
        latitude >= ? AND 
        latitude <= ? AND 
        longitude >= ? AND 
        longitude <= ?
""".format(table=tablename)
cur.execute(query, (bottomlat, toplat, bottomlong, toplong))