Thanks for the feedback, I will do some more reading on the topics you suggest.
I think I understand your concerns, except for your statement of the database class should not be responsible for creating database tables. Is it that you mean that the database class should strictly be meant as a connection to the database? If one were interested in abstracting the database calls in the interest of making it database independent, wouldn't it be best for the database class to handle all SQLite/MySQL/PostgreSQL translations?
One more item, I've done some reading on different implementations of a "Remember Me" cookie and I think I'm safe, but here's the process:
1) User logs into the site with "Rember Me" checkbox checked.
2) Site does a Username/Password validation, then sets a cookie for 30 days that contains a Username and a SHA256 hash of rand(), (Cookietok) which is stored in the database.
3) User leaves, then comes back and presents the Username and Cookietok cookies. If a match, a new Cookietok is calculated and set as the Cookietok cookie and database is updated rewriting the old value with the new. (User is allowed to have multiple Cookietoks for different devices but are treated the same way).
4) On logout, all Cookietok's are removed for the user.
Thanks for your review.
Kind Regards,