python执行SQL语句中有格式化时是否需要加引号

import pymysql

db = pymysql.connect(host='localhost', user='root', password='123456', database='test',port=3306)
cursor = db.cursor()

# 方式1：Python的字符串格式化，String类型需要加上单引号
 cols_name = '6971286372249'
 sql = "SELECT * FROM tablename WHERE cols_name='%s'" % upc
 cursor.execute(sql)

# 方式2：pymysql里excute自带的字符串拼接，不需要加上单引号
 sql = "SELECT * FROM product WHERE upc=%s"
 cursor.execute(sql, '6971286372249')

# 取出查询数据
 data = cursor.fetchall()
 db.close()