Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

PHP PHP User Authentication Setting up Authorization System Creating Helper Functions

Is this considered Good Practice?

Hi Alena Holligan,

Just going through the PHP User Authentication and I was wondering if some of the practices are considered to be good?

For example, the use of global $db, in a different video with PHP and PDO you do this a different way which seems to be the better option?

Also, we duplicate a function with the error and success message when we could just use one function such as:

 * Flash Message
function display_messages() {

  global $session;

  if ($session->getFlashBag()->has('error')) {
    $messages = $session->getFlashBag()->get('error'); 
    $response = '<div class="alert alert-danger alert-dismissable" role="alert">';
  } elseif ($session->getFlashBag()->has('success')) {
    $messages = $session->getFlashBag()->get('success'); 
    $response = '<div class="alert alert-success alert-dismissable" role="alert">';
  } else {

  $response .= '<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>';
  foreach ($messages as $message) {
    $response .= "{$message}<br />";
  $response .="</div>";

  return $response;


Probably a better way of doing that as I'm looking at it.

Finally, I noticed we don't do many actual checks, especially on the user input. For example, we don't check that the user enters a valid email, or an email at all actually. (Other than HTML 5's check) Is there a reason why we don't do this?

This seems like it would be a great course for OOP PHP, to build a working app like this, or even a Slim / Twig course.



2 Answers

Alena Holligan
Alena Holligan
Treehouse Teacher

I try to keep most courses to a minimum of non-critical secondary concepts. This makes it easier to distinguish what we are actually learning. For example, email validation has been covered in other courses and is not critical to what we are learning here. You should DEFINITELY integrate new ALL new concept into what you have already learned.

There are many different ways handle most thing including global information: configuration files, global variables, constants, dependency injection... Some people have VERY strong opinions about certain ways of doing things, but there is almost never ONE RIGHT ANSWER! Many times it comes down to your application and what makes sense for your particular requirements. The requirements for this course were to teach 3 new concepts: user authentication, authorization and JWTs. These are rather complex concepts, so I wanted to keep everything else as simple as possible. When it came to a decision on how to do something, most of the time it came down to, "is this really necessary?" and "what will be the least distracting from our goal?"

These same concepts could easily be translated into an OOP approach. Some sort of framework or templating system could also be extremely helpful. I didn't want new developers to feel like they could only program user authorization and authentication using OOP with a specific framework and templating system. Often times you wont even write your own authentication system, but understanding how things work and how to keep things secure, will help you interact with a system and also know if the system you're looking at is a good choice or not.

Hi and thanks for the speedy response. That's great to know, I just wanted to make sure I wasn't missing something. It seemed strange to have learnt about these things and then not have them implemented on what I considered to be a more advanced course.