2 very common problems are here.
The first is that your code is vulnerable to SQL Injection
. You should
create an SQL query by piecing command strings and user data together. If you slip in a few special characters you can easily open up the entire db for all to view or delete.
As I am not fluent in Python I cannot tell you the best way to rewrite this; however this appears to be a very good sample to follow: OpenStack Docs: Parameterize Database Queries
The second is DateTime. Most programming languages and databases actually store and work with DateTime objects as a number; and the only time there is a format to it is when it is converted to text for humans to read.
As previously stated, I am not fluent in Python. And you have not mentioned what type of DB you are working with. But I can tell you generally that your DB should have the appropriate data-type for your date, and when your program uses a parameterized query with the correct data-type and the database is of the same data-type; the database driver will take care of it 99.999% of the time.