I've created a geoprocessing service that creates new features using arcpy.SelectLayerByAttribute_management() with a where clause that is built using an attribute value provided by the user (through a Web AppBuildier geoprocessing widget) on a source SDE-based feature class and then dissolving (there may be multiple features selected) into an in_memory feature class that is appended to the target SDE-based feature class.
I know just enough about SQL injection attacks to know that they can be a Bad Thing (tm). Should I be sanitizing the user's input in the string from the GetParameterAsText() call myself, or does arcpy handle this automagically? In this application I (think I) can trust the users who would be entering data, but one drop table command from one attacker slipping in would be bad.
arcpy handles nothing magically, nor does python. Al getparameterastext does is makes a string out whatever it is given... if it can, so numbers get converted to text which means you have to convert them back... I prefer sys.argv when you don't want to mess around with objects being passed to scripts.
Some illustrative examples might help fine-tune your question and subsequent responses
Another option could be moving the feature class from your SDE database into either in_memory or the scratchGDB and then do any processing against that feature class so you won't have to worry about that type of problem.