Besides unit testing how can I test my Phalcon application against SQL injection or other harmfull tricks?
I don't know, maybe find some company doing such a tests? If you are using everywhere parameter binding then it's already sql injection protected.
You could also load up an virtual instance of Kali Linux on your LAN and point various automated attack tools that come prepackaged with Kali to your dev environment. That's what I do.