SQL Injection trouble SQLite Python -

how can correct code less vulnerable sql injection? sqlite3

audit((cursor, connection, 0),     "registeration error {0}".format(username))  sql="""insert activitylog(userid, activity, start, stop)      values({0}, '{1}', '{2}','{3}')     """.format(handle[2], activity, start, stop) 

i suggest use parameter substitution built-in sqlite3 dbapi2.

con.execute('insert activitylog (userid, activity, start, stop) values (?, ?, ?,?)',(handle[2], activity, start, stop)) 

you can split onto multiple lines triple quote string literal have in code.