How to build a secure PHP web based application?

There are no perfect ways, just simple rules that you can follow.
Most of these rules that apply to PHP will apply to every other language because these are all basic security best practices and principles.
As a general guide; you should look at the OWASP (Open Web Application Security Project) guidelines as well.
I will outline a few points here.
Keep in mind that security is an ongoing practice; it should be part of your code audits and should be done on a periodic basis.
It is not something you do once, and then forget about it.
The basic rule, if everyone followed it that would prevent a majority of vulnerabilities is - never, ever trust user input.
You need to check for user input in three areas, each with varying degrees of strictness:1.
At the client, for syntax and to enable ease of use.2.
At the middleware/business logic layer, for accurateness and fit for purpose.3.
At the database layer for referential integrity.
A database is not where you should do business logic; it should be separated at the business logic error.
So do not check "age >18" at the database, do this at the middleware/business logic area.
Always use prepared statements which will sanitize any inputs to your database.
For PHP specifically, this means do not use the old mysql_* library but rather mysqli_* or PDO Always make sure your PHP version and your webserver is updated with the latest version and all applicable security patches.
Use CSRF protection on any front end form that is POST-ing to your code; but DO NOT USE this for any external-facing forms (otherwise you will compromise your encryption key).
Make sure you understand how file system permissions work.
A lot of the vulnerabilities come from people misunderstanding file system permissions and setting directories to777 which is an open door vulnerability.
Keep any user uploaded content separate and in a separate security profile (including separate user account) than your main code; or use a CDN like S3.
Do not enable extensions that you do not need; and disable modules on your webserver that you are not using.
Employ a web front end cache and separate your code from your web-front end (you can use nginx or a remote CGI server for this).
Do regular code audits and employ best practices like writing unit tests for your code.
Good system and source code level documentation also helps when doing security audits or hardening.

BECAUSE I HAVE NEW THIS IS MY FIRST TIME

web development and web 2.0

Finally, one of the better courses out there for learning this is the Ultimate Web Designer and Developer Course by Brad Hussey. It not only teaches you the HTML, CSS and JavaScript (along with jQuery and Angular), it also has a full section on visual design… which is harder to find. So, you can learn all the coding stuff you need to learn, but also learn visual design. —

first you need to know what are the potential risks such as sql injection, session hijacking, exposed database connection information. then simply consider dealing with them when developing