Walk the complete application sources (models, controllers, helpers etc. except for external libraries) and look out for old style queries which have their parameters added by string concatenation or other unsafe ways.

Change these to use the Yii bindParams feature and if possible move the query to the query to the model and use active record to proof it against SQL injection.