[eluser]m4rw3r[/eluser]
Yes, it has protection against SQL injection. But as always, be sure that you don't let user input go unfiltered/unrestricted to important stuff.
About the tests, I did not try the "boot test"; that is, testing how fast the database abstraction and ORM loads. This test is really important for seeing how responsive requests will be.