I've had a site for half a year now, and I have this set up:
1 User with all permission to add/edit/delete etc. data
1 User with SELECT and INDEX permissions

My question is do I need to make this (second) user to be secure? Because on my new site I want to my users(going to create user system) to be able to add comments and such and I don't want injections or etc. security hazards.

uh... bump

You need to have 1 application user. Every person from the application needs to be in the database as this person. This user needs to be able to do everything that your application needs to do, this is generally select, insert, update, and delete; sometimes there's also temp tables.

Any other management user (such as a dba or a developer) should have their own user. I'm not sure if this helps you.

Your on the correct path; so following what you said my question is.. Would there be a security risk if I just use 1 user? Because Vbulletin only uses 1 user. Also another question: Why do developers need to have their own user?

each "actor" in the real world gets their own user. vbulletin is an actor. a developer is an actor.

So which is the best method for me? I'm still learning PHP and MSQL but I just wanted to know why people make different users and which is the best method; Are there advantages or disadvantages?

I don't know what might be an advantage or disadvantage as I don't know what other approaches you're thinking of.

I will say this, you should only worry about the user(s) that your application uses. Vbulletin uses one user, but when creating the tables it asks you for the root login (if you installed it through a hosting provider the installation was likely different) for your database, this is because application users shouldn't have the ability to create/drop a table, only manipulate the data in the tables.

Sorry, I have this black and white mind that says I should do this or this. And I want to do future project correctly without flaw.

So... Say I have an application where users can comment say... a review.
Then I should create a new user for this specific job. Right? (To be able to INSERT, INDEX, and SELECT only)
But do I really need to create a new user? Is there any problem with using the same user as the developer?

you really just shouldn't even be worrying about this from your application. assume that you have a database connection. let them worry about the users to create, just some how let your application exist assuming you have a database connection, let people in infrastructure deal with the whole "what user do we give them."