Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP PHP User Authentication Setting up Authorization System Creating Helper Functions

Marc Busby
Marc Busby
35,550 Points

Is this considered Good Practice?

Hi Alena Holligan,

Just going through the PHP User Authentication and I was wondering if some of the practices are considered to be good?

For example, the use of global $db, in a different video with PHP and PDO you do this a different way which seems to be the better option?

Also, we duplicate a function with the error and success message when we could just use one function such as:

 * Flash Message
function display_messages() {

  global $session;

  if ($session->getFlashBag()->has('error')) {
    $messages = $session->getFlashBag()->get('error'); 
    $response = '<div class="alert alert-danger alert-dismissable" role="alert">';
  } elseif ($session->getFlashBag()->has('success')) {
    $messages = $session->getFlashBag()->get('success'); 
    $response = '<div class="alert alert-success alert-dismissable" role="alert">';
  } else {

  $response .= '<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>';
  foreach ($messages as $message) {
    $response .= "{$message}<br />";
  $response .="</div>";

  return $response;


Probably a better way of doing that as I'm looking at it.

Finally, I noticed we don't do many actual checks, especially on the user input. For example, we don't check that the user enters a valid email, or an email at all actually. (Other than HTML 5's check) Is there a reason why we don't do this?

This seems like it would be a great course for OOP PHP, to build a working app like this, or even a Slim / Twig course.



2 Answers

Alena Holligan
Alena Holligan
Treehouse Teacher

I try to keep most courses to a minimum of non-critical secondary concepts. This makes it easier to distinguish what we are actually learning. For example, email validation has been covered in other courses and is not critical to what we are learning here. You should DEFINITELY integrate new ALL new concept into what you have already learned.

There are many different ways handle most thing including global information: configuration files, global variables, constants, dependency injection... Some people have VERY strong opinions about certain ways of doing things, but there is almost never ONE RIGHT ANSWER! Many times it comes down to your application and what makes sense for your particular requirements. The requirements for this course were to teach 3 new concepts: user authentication, authorization and JWTs. These are rather complex concepts, so I wanted to keep everything else as simple as possible. When it came to a decision on how to do something, most of the time it came down to, "is this really necessary?" and "what will be the least distracting from our goal?"

These same concepts could easily be translated into an OOP approach. Some sort of framework or templating system could also be extremely helpful. I didn't want new developers to feel like they could only program user authorization and authentication using OOP with a specific framework and templating system. Often times you wont even write your own authentication system, but understanding how things work and how to keep things secure, will help you interact with a system and also know if the system you're looking at is a good choice or not.

Marc Busby
Marc Busby
35,550 Points

Hi and thanks for the speedy response. That's great to know, I just wanted to make sure I wasn't missing something. It seemed strange to have learnt about these things and then not have them implemented on what I considered to be a more advanced course.