I am using the CKEditor to let the users post their comments. I am not using the bbcode in my forum. If I hide the source button of CKEditor and do the following steps
Am I securely handling the user submitted data? Do I still need to use bbcode? What more steps should I take to make my application more secure.
You won't secure your code by hidding that button. In fact, nothing you do on the client side will help.
I strongly suggest you to check what your users post before adding it to your DB. Last time I had to deal with such thing, I used a combination of PHPIDS and HTML Purifier but that was long ago and I don't know if they're the best tools for that nowadays.