hi there i'm working on a forum for my site. here is the thing: i'm using php as a language but it's my first time in such project i would love some advice in what are the security things i should consider while programing like "xxs", "csrf" thank you for the help
My first question would be "why are you recreating the wheel" There are lots of free forum software available and you could learn as much PHP by extending their functionality and creating your own theme as by creating something that already exists.
If so, you might want to take a look at the code for the forums that already exist. The security risks are the same as for any other sites that allow user-login and user-posts. Sanitize everything, run everything through a central point (load every file via index.php, use .htaccess / server config to disallow everything users don't need access to, and use things like modx-sendfile to provide downloadable files, or just fetching files for embedded use on the forum, since that will prevent a bit of trouble as well (it's not enabled by default, so you need to install it on the server / set it up in Apache config)). A forum isn't that hard to develop, but you'll need a bit of both database and extensive PHP-knowledge, and you should be well-versed in securing both the server and the user-credentials and setting up very distinct user-roles. The whole site needs to be designed from a bottom->up perspective (start with the basics, which all users have access to, then move up to the next level (for instance, moderators) and so on, making sure that you don't accidentally forget a role-check so users suddenly have access to deleting other user's threads, and so on). There are plenty of pitfalls, and even though it might be a learning experience, I cannot for the life of me recommend you do THIS for a learning experience, especially if it's supposed to go life. You WILL fuck it up, somewhere, and some, or all users will get pissed at you - either because their logins get compromised, the site goes down, their credentials get stolen, or any other possible outcome. Not that those things can't happen to pre-made forum-software; of course it can, but then you have someone to blame, and a better chance that at least most of the obvious holes have been patched up.
In my early days of creating web sites I had that "geek" mentality like deathshadow where I had too much pride to use code written by someone else. Then I learned a few valuable lessons... #1 I spent WAY too much time writing untested code that was already written and stable by someone else and #2. I delayed the launch of my projects so long that I either never finished them or released them so late that it was no longer a hot niche... If only I could turn back time I would be a millionaire and not traveling all over the country working for someone else. My best advice to you is to NOT reinvent the wheel like Sara pointed out. Get a stable forum that already exists and spend the time in to customizing and making it fit in to the theme of your web site. If you have a separate registration form it's pretty easy to integrate a forum registration in to the data base so your user will automatically have access to the forum. If all you want to do is enjoy programming then by all means hack away at the code. But if your goal is to be an efficient entrepreneur (and make $$$) then you need to manage risk vs reward with risk being time spent. If I can spend $250 for a delivered stable product and save 4 weeks of development for an untested product I'm going to spend the money every time.