SQL injection is a technique where malicious users can inject the SQL commands /queries into an SQL statement, resulting in false input of the web page and the security of a web application.

Eventually CakePhp already protects the application against the SQL Injection if you are using the CakePhp's methods like find() and save() and proper array notation (ie. array('field' => $value))

Still, it is sometimes necessary to perform manual queries, which can be done with Model::Query.

 $this->MyModel->query( 'SELECT name FROM users WHERE id = ? AND status = ?', array($id, $status) ); 

So import the below code in Appcontroller.php for protection of the SQL queries against injection:-

App::import(Sanitize). 

Or putting the same on your created controller:-

App::import('Sanitize');
class XyzController extends AppController {
    ...
    ...
}

This function takes an array (or string) and returns the clean version of an array and prevents from these types of attacks.