No. It just means that their injected code doesn't have any effect. If someone puts "rm *" into a python string, that doesn't delete all your files, though it would if you were to (foolishly) execute that string.
Sure, I'd be glad to.
Yes, but it won't be executed. It's just passive data at that point.
Yes, it separates the code (that will be parsed and executed) from the inputs to that code.
If you provide too many or too few values, you'll get an error, just like you would with giving a function too many or too few arguments.
I don't know what you mean by using %s to search a database of SQL commands. If we had a database table filled with a varchar column of strings containing SQL commands, we could search it like any other table that contains text. But we shouldn't execute those commands.
Yes.
PyMySQL does an excellent approximation of prepared queries, gaining the same effect, so we will treat it as if it's the real thing.