django中的connection.cursor执行原生sql

connection.cursor 只能获得元组类型，更阴功的时，它的参数化操做搞死人

像这种要动态表名列名啊排序关键字啊，都不能使用参数化查询，只能拼装字符串 
       sql = '''SELECT t1.id,t1.serial_number,t1.position,t1.system_os,t1.pc_score,t1.pc_cpu,t1.pc_memory,t1.use_time,t2.name AS person_name
        FROM app_HardwareInfo AS t1
        LEFT JOIN app_PersonInfo AS t2 ON t1.person_id=t2.id
        ORDER BY t1.%s %s''' % (sort, order)
        cursor.execute(sql)

参数化只能用于值
        id1 = 1
        id2 = 2
        sql = '''SELECT t1.id,t1.serial_number,t1.position,t1.system_os,t1.pc_score,t1.pc_cpu,t1.pc_memory,t1.use_time,t2.name AS person_name
        FROM app_HardwareInfo AS t1
        LEFT JOIN app_PersonInfo AS t2 ON t1.person_id=t2.id
         WHERE    t1.id=%s AND t2.name=%s'''
        cursor.execute(sql,[id1,id2])