Do not bypass the ORM

# very very wrong
cr.execute('select id from auction_lots where auction_id in (' +
           ','.join(map(str,ids))+') and state=%s and obj_price>0',
           ('draft',))
auction_lots_ids = [x[0] for x in cr.fetchall()]

# no injection, but still wrong
cr.execute('select id from auction_lots where auction_id in %s '\
           'and state=%s and obj_price>0',
           (tuple(ids),'draft',))
auction_lots_ids = [x[0] for x in cr.fetchall()]

# better
auction_lots_ids = self.search(cr,uid,
                               [('auction_id','in',ids),
                                ('state','=','draft'),
                                ('obj_price','>',0)])