We did penetration testing on our liferay portal by doing a blind sql injection via the ff parameters:
p_p_lifecycle=0+and+7659%3D7659
p_p_id=PortletName_WAR_PortletNameportlet%27+and+%27f%27%3D%27f
After running it the page loads normally and we're not getting any info or at least a redirect.

How does liferay handle these injections via the parameter?

The big question is: Did you see this going through to the database? I doubt it: All code that I've seen uses preparedStatements and just adds values as parameters, never concatenates them to the statement itself. That is, if it goes to the database at all (e.g. I doubt that the lifecycle parameter is used for a query, but feel free to proove me wrong)

My guess would be that the result is roughly equal to using
p_p_lifecycle=SOMETHING_THAT_I_MADE_UP
p_p_id=SOMETHING_ELSE_THAT_I_MADE_UP_AS_WELL