Yes, you are correct - split your sql and your parameters into two variables to avoid confusion, like this :
sql = "INSERT INTO mytable (name,address) VALUES(%s,%s)"
data=("David","Bath")
cur.execute(sql,data)
“data” is an array of values to be inserted. The execute function will take care of ensuring nothing malicious gets through in your data parameter.
The comma on the end of the data is, I believe, only required for a single parameter. It’s not an escape, it’s to force a single value into a tuple which I believe is the required type. I’ve never actually tried a single parameter so i can’t confirm that to be true.
Re your string examples, I’ve not tested them but I personally wouldn’t do it like that if only for the uncertainty. My method above should work fine and is much clearer in its intent.
Hope that helps (and anyone better than me jumps in with corrections!)