I’ve been quite critical of temp agency tests, and their lack of ability to write a proper test, so I feel that I can shed some light on what questions tests really must focus on. What I’ll list below are a mixture of security related functionality, best practices, and advanced functionality not documented very well on the PHP manual. Therefore, they test the programmer’s knowledge, and experience level.
Please note that this article is targeted towards PHP developers to help boost your credibility, and stop selling yourself short. However, it also targets CTOs and other technical upper management who wish to understand why temp agency tests are ineffective. Therefore, this article is very technical to ensure you know where to focus your efforts, and smash your competition.
The 5 questions that every PHP developer must know
- What is a singleton? This question is a great way to determine if the programmer understands best practices. It also shows their knowledge of static variable scope, dynamic versus static methods, and a mariad of other knowledge in OOP.
- How do you properly use PDO to secure against SQL injection attacks? PDO does not prevent SQL injection attacks unless properly implemented. Prepared statements need proper configuration or they’re just as vulnerable.
- What is a session fixation attack, and how do you properly implement session rotation? Session fixation attacks allow for hackers sitting on the wire to reuse session tokens to gain access to the victim’s account. Check out Wireshark and go sit on an open WiFi connection at your local coffee shop. You’ll learn a lot about what people will see. If you have an HTTPS connection, the attacker must first use a MitM attack to gain access to the victim’s connection. That’s a whole other story.
- How do you make PHP multitask? Most programmers don’t think that PHP can multitask, but that’s simply not the case at all, and you don’t need to use pthreads to do hardware threading. stream_socket_client and stream_select allow for calling third-party servers (presumably API servers) without blocking the script. Thus, you can make calls in parallel and exponentially speed up script execution.
Also, you can make PHP multitask with the Active Object Pattern as described in Agile software development, or use proc_open for system command execution or spawning more PHP processes to handle execution.
Cameron Laird of IBM wrote an article (very basic and now quite dated) that originally showed me how to make PHP multitask. In practice, you’ll need to use loops to grab stream data without using feof, as the streams will never close and will cause PHP to lock up if improperly implemented.
The hard part is that because the streams are live, you won’t get all of the data in one go, so you’ll need to check the HTTP headers for proper data, and trust the source providing such headers. There’s more to it than just that, but like I said, this question is extremely advanced, and requires a working knowledge of poorly documented functionality.
- How do you properly document your code? It’s crucial that a programmer documents their code properly. (Usually with PHPdoc comments, as IDEs often provide easy reference for functions, properties, and the like. Also, PHP’s Reflection processing can grab the comment string for parsing into some nice documentation. PHPDocumentor uses PHPdoc comments for that reason.)
If a programmer comments their code even without PHPdoc, it’s still immensely better than nothing at all. Some code can get pretty arcane, and having comments to tell other developers why you’re doing what you’re doing can turn up code relating to old versions of your software, poor foresight, or many other insights into why someone wrote what they did.
When I comment my code, my comments boarder on code bloat, and most of the time they take up at least 1/4 of the space that the code takes up. It also helps to put funnies in the source code to brighten the lives of the other wizards who pour through the source code after you. 😉
All of these questions are meant to be asked with the intent of getting a code example. If you’re evaluating a programmer for a position with your company, I strongly advise you to have real programmers test your prospects knowledge. Zend Certification is the industry standard, and with a bit of research, I’ve learned that the test is written by the PHP Advisory Board which is comprised of some of the developers who write the PHP engine.
I strongly advise you to stay away from testing vendors who do not provide industry standard certifications. Their tests have numerous flaws including typos, single answer questions with two possible correct answers depending on the PHP version (not specified in the question), or useless questions, for example questions about which configuration variables (not options) appear in Xdebug.
Freelancing websites, and temp agencies use those testing services to provide tests, but the problem is that it hurts a programmer’s credibility when they flunk a test or get low marks because of the lack of knowledge of the test author. A PHP programmer deserves the dignity of being tested by their peers, not some hack who just read a textbook.
Check out my answer on Quora about which five questions every PHP developer must know.