I am assuming Yii automatically protects against SQL injection attacks.
No software can ever protect you against programmer stupidity. All that Yii can do is give you the tools to make it easy to protect your site (and Yii does this very well) but you still have to do it. In the case of SQL injection attacks, you want to look into prepared statements, which are discussed in this page.
The site needs to be as "un hackable" and secure as possible.
Un-hackable sites do not exist. You have to set realistic goals.
We will be using SSL which covers a lot of areas I believe.
SSL will protect you against packet sniffers. Nothing more. It will do nothing for SQL injection, cookie attacks, XSS, CSRF, dictionary attacks, or DOS attacks. There is no single product that will magically make you secure. You can't "buy" security. You need to develop a deeper understanding of threats and guard against them as best as you can. To do that, you need to understand the threats to your assets so you can prioritize.
They jsut need to make sure that users data is not obtainable by people that shouldn't have access.
Ok, let's start with some really broad threats. We can roughly divide threats into three groups:
Bad guys accessing data that they are not supposed to.
Bad guys modifying data that they are not supposed to.
Bad guys preventing good guys from using the service.
How do you feel about these? When you say "I want security", which of these are you thinking of? Are you willing to increase the risk of one in order to decrease the risk of the other?
For example: locking user accounts after 3 failed logins. This is a very effective way to protect against dictionary attacks (which is a "type 1 and type 2" threat) but it makes it really easy for a bad guy to lock out all your users (a "type 3" threat). Given this, would you be in favour or against locking accounts after 3 failed logins?
Notice, this is just one example of one threat. There are dozens.