EvilZone

http://www.ossec.net/ and keep calm! I really don't like BSD mainly because I always have lack of drivers on it....

1. In my opinion just pick one, but build strong base on it. I'm not programming guru, but i've spend a lot of time on C and now I apply this knowledge on every programming language. However you can start with everything python, ruby, java... But at some point you will need to get your hands durty with C and some kind of ASM.
2. You don't need to, you can use vm fusion, virtual box...
3. Why unix? It's open-source and it's used for the most servers, they usually run on Linux of FreeBSD.

My list is endless
1. When I was really young (4-5 years old) me and my dad(who doesn't speak English), we were trying to start a game for hours(2-3 don't remember) at all my mum come home and start it for us.
2. When I was about 8-9 years old I decided that I'm hacker, downloaded VB 2006 and stared crawing the web for topic such us "vb 06 malware", "vb 06 worm" of course I didn't know what a for loop is but I was downloading source codes and modifing them and for some reason I always fucked up the OS installation, for that time I thought that those who can reinstall Windows are the best hackers on the world, sadly soon I understood that my mom can do it too(after she tryed to use the PC).
3.When I've find the BIOS I set password to it, I was unable to remove it.
4. I've used IE until 2008(could you imagine this )
5. I tried to infect somebody via skype somebody from USA don't remember his name I think he was pedo anyway I didn't know that AVs detect trojans nor what a port is, useless to say that I failed.
6.Before 5 years I tried to hack the skype of my girlfriend, I tried to guess the password of the mail used to create skype, sadly the mail was by her mother and I blocked the mail for 48 hours (too many login attempts)=D
there are many more

I didn't read other commends, I'm too lazy so sorry if I repeat somebody. You said that you have read and learn about full-stack development(front and back end dev.). Well I will recommend you to write your own social network something like facebook, with Ajax(or webSockets if you are using HTML5) with chat system, profile system etc.. The idea is to get practical expirience not to destroy facebook.While you are writing the social network don't care about the security .Write the system and then start reading about web security there are plenty of books that will give you basic introduction to the most common attack(like XSS, SQLi, CSRF...). After you get the theory behind those attacks, try to exploit those vulnerabilities in your social network, after that patch them.

P.S. Sorry for my bad grammar.

I don't see any way to avoid(or patch in other words) brute-force attack without attempt maximum. I was unable to understand at least 90% of the things you said, but you said something about "tools", what will happen if I write a custume brute-force tool for your script? Hacking isn't just for using tools. Also I can try to guess the user:pass by hand, how would you stop me without attempt max? The only way I see is to wait for delays between logins. For example if from given IP you get 100 attempts per second this is 100% attack, this  cannot be done by human, but again I can add delay in my tool(for example one attempt per second).
P.S.
Sorry for my bad grammer.

You could try adding -- after you query. If you aren't familiar with SQL better learn it first before start exploiting. Also mysql_fetch_assoc() is function in PHP, this is probably the most widely used programming language for back-end development it's good to learn it too.
In case you want recommendation about resources, in my opinion it depent on your experience.

P.S.
Sorry for my bad grammar.