I'm beginning to learn web security such as how sites are vulnerable to xss, how it works, how to prevent xss, sql injection and how to prevent sql injection, etc.

I come from a systems administration background but I want to learn more about web security.

My initial thought was to start off learning Javascript. For that, I am reading from w3schools.

I'm also learning more about Linux with CentOS, permissions, file structure, etc.

Afterwards, I'd like to know PHP and Apache.

Is the above a good approach to learning some of the basics. Is w3schools a good resource for learning Javascript?

Try to search a bit harder, as there's a billion tutorials on the Internet, and this question has been asked many times before. There's many sites like this with good information, such as but not limited to the links below.

The Beginners Guide to XSS:
http://www.xssed.com/article/31/The_Beginners_Guide_to_XSS/

Various tutorials:
http://forum.intern0t.net/web-hacking-war-games/
http://forum.intern0t.net/offensive-guides-information/
http://forum.intern0t.net/general-hacking-discussions/

Finding Vulnerabilities in PHP Scripts by SirGod:
http://forum.intern0t.net/offensive-guides-information/1382-finding-vulnerabilities-php-sirgod.html

Exploit-DB Blogs about Web Application Security:
http://www.exploit-db.com/category/maxe/

There's a lot of courses about how to learn Web Application Security, as this is what you want to learn. Check out OWASP's website as well.

First, learn: HTML, CSS, JavaScript (basics).
Then: PHP or ASP (or JSP or any other web language, I recommend PHP as it's easier to learn and a lot of web applications are written in this language, however most corporate ones are not written in PHP.)
When you feel comfortable with these languages: Download some random web apps, those that are not widely used as these are often more secure, then try to review the code for bugs like XSS. (Unsanitized input.)

You can also just fuzz any input field you find, within the web app you download.

In addition to the links above, there's also YouTube (w00t), SecurityTube, and various providers of infosec courses as well such as: eLearnSecurity, SANS, LearnSecurityOnline, and so forth.

If you want something to practice on, try WebGoat for starters. (There's other projects similar to this, and there's even a nice thread in one of these sections on this website, that was recently updated with pretty much almost all such projects.)


Enjoy!

I'd also highly recommend learning at least rudimentary SQL (and how to fingerprint databases and understand the differences in strategy when you are attacking MySQL vs Oracle vs MSSQL. There's no xp_cmdshell in MySQL for example but you can create it more or less with INTO OUTFILE.) Also, remote code execution aside, databases are usually where the data lives and you need to know how to get at it or you will have a really hard time building SQL queries in your injection strings.

tor0: After learning PHP, or during that, learn some basic SQL and then progress into a bit more advanced queries. Not before, there's no reason to. (In essence, SQL queries are not as hard as they may seem, see example below.)

SELECT piece FROM cake WHERE size < mouth;

It's pretty much as simple as that, and after seeing that phrase in a book, it made a lot more sense to me 

Lots of great advice here. I've gone over some Javascript but will take a deeper dive to really get to know it which I am then moving on to PHP which will lead me to the SQL area.

I think this is a good start for a foundation.

You're right that a book from e.g. O'Reily is probably better than W3Schools when it comes to learning JavaScript, but knowing only this language and HTML is not Web Application Security, it's like the warm (and nice smelling) air on top of a pizza.