用变量替换此SQL查询的倒数第二行中的数字的安全方法是什么？

说我的变量是customer_id。我可以使用{}代替2并将.format（customer_id）放在此字符串的末尾吗？

unlicensed_query = """
    SELECT SUM(x.quantity), SUM(x.quantity * p.list_price)
        FROM (
        SELECT cu.customer_id, cu.product_id, cu.quantity
        FROM csi_usage cu LEFT JOIN csi c
        ON cu.customer_id = c.customer_id
        AND cu.product_id = c.product_id
        WHERE c.product_id IS NULL
        AND cu.customer_id = 2) x, product p
        WHERE x.product_id = p.id;
    """

如thebjorn所述，正确的方法是使用绑定参数（http://docs.sqlalchemy.org/en/latest/core/tutorial.html#specifying-bound-parameter-behaviors）。一个例子在这里：

from sqlalchemy.sql import text
fully_utilized_query = text("""
    SELECT SUM(x.quantity)
            FROM (
            SELECT cu.customer_id, cu.product_id, cu.quantity
            FROM csi_usage cu
            JOIN csi c
            ON cu.customer_id = c.customer_id
            AND cu.product_id = c.product_id
            AND cu.quantity = c.licence_qty
            WHERE cu.customer_id = :customer_id) x;
    """)
fully_utilized = self.session.execute(fully_utilized_query, {'customer_id': current_user.customer_id}).scalar()