Colname is variable here, it value should be replaced in param string ($1).
Regardless of the specific characters it is replaced with the important point is that your first query introduces an identifier and the second a string literal. This is why they behave differently.
There is no bug here - the queries are doing what they are supposed to. The use of string literals makes the second filter always evaluate to true so long as at least one row is returned and the value of $1 is not null (in this case your where clause is "cmdid' IN ('cmdid', 'cmdid', ...)". Thus it deletes all rows in the table.