I am somewhat mixed on this to be honest. On the one hand would a direct querying of the datastore file allow one to have the site available even when Calibre is not running - something quite usefull in its way, at least for me since I already have a webserver in my home network and don't need a second one. On the other hand, this only works if said webserver has direct access to the datastore file, which is somewhat less easily accomplished. Overall though I welcome the ability to simply add a vhost to my existing webserver and not bother with running Calibre all the time - I can see why there would be requests for this and appreciate the effort you've obviously put into this
Then, as for the code itself: you store almost all global information in the session which, if anything, lacks elegance. While some parts are decently documented, most are not, which is not too bad in a new project but something to be wary off.
What I find more troublesome however is the complete lack of classes and structure. Granted, procedural programming has its place, but it's a small place and not a good one to start out from with a new project in my opinion.
There is also a lot of mixing of PHP and HTML, while usually limited within functions it is not something I enjoy seeing - the MVC architecture has many benefits, and will save you a lot of trouble later on if the project grows.
Last but not least you do not seem to escape any variables in your SQL queries, but instead rely on them being set savely and correctly in the session. While this might be true (I must confess to not going over all your code) it is a potential security risk, especially on hosts with register_globals still active (and those number more than I would like). I am no hacker myself, but have experienced numerous attacks on sites I worked on - some successfull, others not so. It has made me cautious, and using parametrized queries would be a simple way to prevent any possible hacks since you're already using PDO