When you say “CActiveForm”, I assume you mean using the Yii-generated models and controllers. CActiveForm doesn’t automatically do any sanitizing for you, but if you use the ActiveRecord methods that Yii uses by default, it will generally do the PDO bindings for you based on the data types of each field. If you are creating your own queries using createCommand() or other method, you should define your own bindings.

If you want to see what’s going on, you can turn on logging, e.g., to generate a file with the db commands, add this to your config file in the components->log array:

'components'=>array(
 'log'=>array(
  'class'=>'CLogRouter',
    'routes'=>array(    
      array(
        'class'=>'CFileLogRoute',
        'levels'=>'trace, info',
        'categories'=>'system.db.*',
        'logFile'=>'db.log',
      ),
     ...

and if you see the update statements parameterized, you can be pretty sure they are using PDO bindings, which will prevent most, but not necessarily all, SQL attacks. (By default the log file is saved in your “runtime” directory, which you can then trace out. You can also have it displayed at the bottom of the web page or FireBug with CWebLogRoute, but that won’t show all commands if a page gets redirected.)