#Red flag

 $query = "SELECT * FROM admin WHERE user = :user AND password = :pass";

Ok, so you've heard that you should hash passwords before storing them, because it turns out that pass is a SHA hash. But you don't seem to have heard of salt. The password database is going to be wide open to a rainbow table attack.

I would recommend that you use a framework which has a good password storage mechanism (if there is one). If not, read the OWASP Password Storage Cheat Sheet very carefully before you rewrite this code.

Red flag

 $query = "SELECT * FROM admin WHERE user = :user AND password = :pass";

Ok, so you've heard that you should hash passwords before storing them, because it turns out that pass is a SHA hash. But you don't seem to have heard of salt. The password database is going to be wide open to a rainbow table attack.

I would recommend that you use a framework which has a good password storage mechanism (if there is one). If not, read the OWASP Password Storage Cheat Sheet very carefully before you rewrite this code.