Oxwall uses several methods to protect from sql injection, including but not limited to using escape functions and other sanitation.  However it is open source and you can improve on those methods if you choose to. 

If you need more specifics, maybe a team member can reply as well.  

If a team member replies you need to send them that specific information by PM so if there is a hole they can plug it...

there are ways to protect against blind sql thru htaccess,  google is your friend.   Also one simple thing you can do for any types of these is to make sure your error reporting is off but that your error logging is on.

Also make sure error messages are not generic, or very very specific, i would even go so far as to return a code rather than an actual true or false value.   One of my scripts returns a code rather than a value and then i refer to a cheat sheet to translate the coded message.

Also remember to have a really good process in place to watch your error log for suspicious activity and ip deny those ip's..   

The objective is to protect yourself against the majority NOT the minority.  That means that all anyone can do is protect your stuff against most people, where as you make it hard for them and they go someplace else.   The minority, the few in the world that are the top percentile of their trade, if they want your stuff they will get it and not much you can do about that short of removing yourself from the web.

One thing i forgot to say (and i meant to) was that i would recommend that you uncheck the box under dashboard and profile and also i think its group settings in the installed plugins, that let users configure those pages.  I will not say why exactly because i dont want to advertise the reason for unwelcomed eyes.  

But i will say there was some talk a while back and i  have not seen any thing since then, so i would uncheck those boxes.

I think Aliia knows what i am speaking of..