对于内部使用的PHP站点(没有框架),PDO + htaccess是否足以阻止大多数攻击?

I hope this question isn't too stupid of one. I'm new to PHP and am interested in designing a system for internal staff usage. (So all users are trusted - and any of their inputs will go through PDO)

This system will be hosted on the Internet however.

Would simply using PDO, .htaccess (to restrict directory access), and redirecting users upon failed login (so users without an account cannot get to any page other than the login page - hence restricting input based SQL injections from attackers..?) be enough for the site to be hosted online?

Did not consider using a framework, but am wondering how exactly it would work for a website that doesn't allow the public to see anything other than a login page? (At least that's what I think?)

For .htaccess,

deny from all

is used.

For my index.php, it creates a new Template Controller class

$template = new TemplateController();
$template->template_controller();

The TemplateController class follows:

<?php

class TemplateController
{

    public function template_controller()
    {

        include "views/template.php";

    }

}

Then finally the template.php has

if (isset($_SESSION["loggedIn"]) && $_SESSION["loggedIn"]) {
    if (isset($_GET["route"])) {
        if ($_GET["route"] == "home" {
            include "modules/" . $_GET["route"] . ".php";
        }
    } else {
        include "modules/404.php";
    }
} else {

    include "modules/login.php";
}

to handle redirecting of users who are not logged in. Modules are only included if the user has a valid session.

So with this structure, how would a website get attacked if perhaps I'm using a virtual private server plan to host this over a domain? Just wanted to know how a framework would differ from a setup like mine.

Thank you in advance!

EDIT: I've neglected to mention how the login page is secured.

I'm using preg_match to do so.

if (preg_match('/^[a-zA-Z0-9]+$/', $_POST['inUsername']) && 
preg_match('/^[0-9A-Za-z!@#$%^&*(),.<>?\/\-_=+ ]+$/', $_POST['inPassword']))

Who would attack you internally. Just fire them.

Make sure that you escape and sanitize or validate every use input that needs to be saved in the DB.

Also, make sure that you won't print stuff that comes out of the DB directly on a web page. You cannot trust anything directly coming from the DB. You have to escape them before rendering them.

And use prepared statement whenever you can. It takes care of a many security related escaping when inserting something in the database or even when passing an argument for the WHERE clause of your query for example.