I hope this question isn't too stupid of one. I'm new to PHP and am interested in designing a system for internal staff usage. (So all users are trusted - and any of their inputs will go through PDO)
This system will be hosted on the Internet however.
Would simply using PDO, .htaccess (to restrict directory access), and redirecting users upon failed login (so users without an account cannot get to any page other than the login page - hence restricting input based SQL injections from attackers..?) be enough for the site to be hosted online?
Did not consider using a framework, but am wondering how exactly it would work for a website that doesn't allow the public to see anything other than a login page? (At least that's what I think?)
For .htaccess,
deny from all
is used.
For my index.php, it creates a new Template Controller class
$template = new TemplateController();
$template->template_controller();
The TemplateController class follows:
<?php
class TemplateController
{
public function template_controller()
{
include "views/template.php";
}
}
Then finally the template.php has
if (isset($_SESSION["loggedIn"]) && $_SESSION["loggedIn"]) {
if (isset($_GET["route"])) {
if ($_GET["route"] == "home" {
include "modules/" . $_GET["route"] . ".php";
}
} else {
include "modules/404.php";
}
} else {
include "modules/login.php";
}
to handle redirecting of users who are not logged in. Modules are only included if the user has a valid session.
So with this structure, how would a website get attacked if perhaps I'm using a virtual private server plan to host this over a domain? Just wanted to know how a framework would differ from a setup like mine.
Thank you in advance!
EDIT: I've neglected to mention how the login page is secured.
I'm using preg_match to do so.
if (preg_match('/^[a-zA-Z0-9]+$/', $_POST['inUsername']) &&
preg_match('/^[0-9A-Za-z!@#$%^&*(),.<>?\/\-_=+ ]+$/', $_POST['inPassword']))