An example SQL injection using your first SQL statement:
cursor.execute("insert into user(username, password) values('{0}', '{1}')".format(username, password))
If username and password are "blah" the resulting SQL statement is:
insert into user(username, password) values('blah', 'blah')
and there is no problem with this particular statement.
However, if a user is able to enter a value for password, perhaps from a HTML form, of:
blah'); drop table user; --
the resulting SQL statement will be:
insert into user(username, password) values('blah', 'blah'); drop table user; --
which is actually 3 statements separated by a semicolon: an insert, a drop table, and then a comment. Some databases, e.g. Postgres will execute all of these statements which results in the user table being dropped. Experimenting with SQLite, however, it seems that SQLite will not allow multiple statements at a time to be executed. Nevertheless there might be other ways to inject SQL. OWASP has a good reference on the topic.
Fixing this is easy, use parameterised queries like this:
cursor.execute("insert into user(username, password) values(?, ?)", (username, password))
Placeholders are added to the query using ? and the db engine will properly escape these values to avoid SQL injections. The resultant query will be:
insert into user(username, password) values('blah', 'blah''); drop table users; --')
where the terminating ' in 'blah\'' has been properly escaped. The value
blah'); drop table users; --
will be present in the password field for the inserted record.