Hello I'd just like a confirmation on that if when I use Model::findFirstByEmail($email) for example, that the statement is somehow (binding) protected against SQL injection from $email or should I use something else.
yes, phalcon binds param internally.
you can see it here in zephir: https://github.com/phalcon/cphalcon/blob/2.0.0/phalcon/mvc/model.zep lines start 4091 to 4097