What time did you go to bed last night?
A lot of programmers are often described as “night owls” who do their best work at 2am in solitude. However, many, if not all, suffer from circadian rhythm sleep disorders (https://my.clevelandclinic.org/health/diseases/12115-circadian-rhythm-disorders) which cause enormous trouble for team cohesiveness and occasionally co morbid with mental health problems. It’s crucial to identify and support a colleague who may be suffering barriers to working normally they need to address.
The answer should indicate whether the applicant follows a normal working schedule or may need to work on a different schedule which has to integrate with the normal day.
Good answer: i try to maintain regular working hours and disconnect from work by the early evening whenever possible.
How do you handle and resolve conflict?
Joining or creating a team involves conflict. It’s completely inevitable. You form, then you storm, then you norm. Egos are rampant. Many managers are entirely incompetent. Your ideas will be better sometimes. Often you are asked to do things you completely disagree with. Sometimes your entire employment is dominated by the need to resolve conflict and bruised egos in a constructive, cooperative, and mature way.
The answer should demonstrate the applicant understands the damaging nature of passive aggression and unhealthy personal behaviour, and has a way to process it.
Good answer: conflict is inevitable and needs healthy management which acknowledges and resolves it, so it produces creativity and a broader perspective for everyone.
What are the signs of poor development or a bad engineer?
PHP can be a real mess. There are more bad engineers than good ones. There are serious flags everyone knows: egos, not having any processes, no unit testing, spaghetti code, masses of technical debt, no documentation. The list is very long.
The answer should demonstrate the applicant can spot bad engineering and knows the difference.
Good answer: on a collective or individual basis, a lack of or indifference to standards and best practices.
What do you consider to be PHP’s worst problems?
PHP has a huge number of problems which are being slowly resolved. It has been considered the most childish language for years and is hated in some circles. It’s status as a mature language is resented and ridiculed by a lot of computer science people, but its reputation is improving. The most complained-about issue is types. Start here: http://www.phpsadness.com/
The answer should demonstrate the applicant understands the language’s limits.
Good answer: an awareness of PHP’s reputation and its improvements. Could include: inconsistent function naming, performance, requiring an interpreter, not doing async properly, etc.
When should you deal with technical debt?
Tech debt (https://en.wikipedia.org/wiki/Technical_debt) is what the guy before you couldn’t be bothered to write or fix properly, and put off until later because their manager told them wasn’t as important as the thing they wanted. It’s like putting it on the credit card. Deal with it now, or let it drown you in six months. Every project has it, but very few manage it, because they think they will get fired if they attempt to.
The answer should demonstrate the applicant understands how fatal technical debt is.
Good answer: i hate it. It has to be dealt with right away. You can’t put things off or it will be a nightmare later.
Who created PHP, and why?
You’ll be staggered at the amount of developers who can’t answer this simple question.
The answer should demonstrate the applicant understands PHP’s fast-changing history.
Good answer: Rasmus Lerdorf in 1994. He called it “Personal Home Page” and it was an HTML templating language written in C.
How beneficial have you found diversity training and codes of conduct to the development process?
This question is deceptive, and designed to get round the issue of discriminating against someone for their political affiliation when weeding out candidates who may prove to be divisive or litigious. Few issues enrage developers more than political interference by the social sciences into STEM. So-called “diversity” training, language-engineering, and Soviet-style “codes of conduct” are polarizing and reveal even the most tactful applicant’s feelings. Generally-speaking, 3 camps emerge: a) don’t care/avoid, b) we need more, and c) i hope they die in a car fire. Those who agree with politicising the workplace tend to be younger, from liberal arts backgrounds, and end up stirring division, resentment, and eggshell-walking.
The answer should demonstrate the applicant’s temperament and the likelihood they will engage in behaviour which is destructive.
Good answer: Not at all. Good code has nothing to do with immutable characteristics, and the workplace should be free from politicisation.
How do you approach the encryption of sensitive private data in a database?
Most developers are appalling at protecting personal information. The key issues in deciding how to encrypt data are a) using a reliable standard rather than rolling your own, and b) who/what does the encryption. If your PHP framework does the encrypting in the code, only that framework can decrypt, meaning no-one can. A Big Data analyst mining your data can’t read the information.
The answer should demonstrate the applicant understands the need for respect of private information and that the data needs to be accessible to other people.
Good answer: encryption is different to hashing and should be done by the database, so the data is available to both the application code, as well as other clients wanting to use it.
Should comments be necessary within code or should it be self-evident?
This debate has been raging for years. Some developers believe comments are necessary for auto-documentation, whereas others argue the code should be so simple and understandable for the next guy it’s not necessary.
The answer should demonstrate the applicant understands the need to produce work which can be easily understood by other developers.
Good answer: both, if possible. But if time is short, the code should be understandable. If there is time and resources, extensive documentation is essential for long-term maintenance.
How often do you bump up against the N+1 problem?
Imagine you have a list of news articles with comments on them. To print them, you have to list each article (i.e. loop), and as you go through, you have to issue a separate query to get each comment individually. If every article has one comment, it’s simple. If each has 5000 comments, you’re in trouble. 10 articles with 5000 comments each means 50,010 calls to the database. If each comment has a picture, it gets worse. We solve the problem in two ways: using eager loading (https://www.imperva.com/learn/performance/lazy-loading/), or creating a database view. Eager loading aggregates and simplifies things by getting all those 5000 comments in one call.
The answer should demonstrate the applicant is experienced enough in the language to know solutions to common problems.
Good answer: rarely unless it’s legacy code, as almost all framework ORMs now have a way to do eager loading.
What are Generators and Enums?
Generators (https://www.tutorialspoint.com/php-generators) were added to PHP in version 7. Enums (https://php.watch/versions/8.1/enums) were added in version 8.1. Both are advanced functions you would know from other languages with a computer science background, but need to be keeping up with the language developments to fully understand in PHP. WordPress, by comparison, still supports version 5.6; it’s unlikely a WordPress developer or junior would be familiar with them.
The answer should demonstrate the applicant keeps up with PHP developments.
Good answer: generators are a neater way to programmatically deal with loop iterations. Enums are a fixed list of options.
How do you explain the need to change from Waterfall methodology?
You always use a methodology or process, even if you don’t know what it’s called. The Waterfall Model (https://en.wikipedia.org/wiki/Waterfall_model) is found in design houses mostly, and involves separating your workflow into different phases: getting the requirements, writing the code, changes etc. The Software Development Lifecycle (SDLC) is represented in many different ways. The most popular is Agile. It’s annoying.
The answer should demonstrate the applicant understands the typical agency “web design” methodology has a name, and the more advanced kinds used in professional software houses.
Good answer: software development is different from the processes you would find in a design house. It has a documented lifecycle which is managed by competing methodologies. The right choice is important.
How do you stop your codebase becoming a monolith?
PHP is a great language for prototyping, but it gets harder to work with as it grows. Developers add more and more code due to more and more requests from the business to include extra functionality. Eventually, at some point down the line, you have a monolith which needs to be broken apart into manageable chunks which interoperate. This can often be done via modularisation or using an Enterprise Resource Bus.
The answer should demonstrate the applicant understands how a project develops and the need for foresight when managing it.
Good answer: ideally a project should be modularised early-on, but it’s important to set a red line of when it will need to be broken up. Perhaps a key milestone such as integrating more than five external APIs.
When would you recommend using a NoSQL database?
Relational databases such as SQL Server, MySQL etc are fixed into rows and columns like a spreadsheet, and can be interrogated with SQL.PHP always comes bundled with MySQL, which is owned by Oracle and seen as a “junior” software with difficult limitations. It’s rarely a good choice when needing to scale. NoSQL databases are a recent innovation which store JSON documents. They are programmatic, scale horizontally, and aren’t fixed into any structure (like rows and columns).
The answer should demonstrate the applicant understands the difference between the two types of database and the latter’s speed and flexibility.
Good answer: at the beginning, thinking ahead to how things will need to work if the project scales quickly. NoSQL is extremely useful for unstructured data and horizontal scaling. Bonus points: mentioning idempotent operations.
What’s the difference between an aggregation and a materialised view?
In a database, a view is a predefined SQL query which typically draws lots of tables together to provide a “live” and “customised” set of results. When it is “materialised”, it is stored into a physical table as static cached data. An aggregation is a multiple calculation made by a NoSQL database which works using a “pipeline” of different instructions, like a recipe.
The answer should demonstrate the applicant understands advanced database operations and why they are useful.
Good answer: the first uses a pipeline, the second creates a physical cache of a view. Both are used to avoid doing big calculations in your code, and allowing other programs to view the same data.
Which PSR are you most religious about?
PHP’s 20+ industry standards (https://www.php-fig.org/psr/) are formalised as recommendations by a working group called FIG. Different frameworks agree to deal with things in the same way so they are interoperable. PSR4 deals with package loading, PSR7 with HTTP requests, and PSR12 governs code formatting.
The answer should demonstrate the applicant understands professional development must follow standards and not be arbitrary.
Good answer: any of them, with a detailed answer as to why.
Where do you prefer to put your domain-specific business logic?
Most PHP frameworks use some variation of Model-View-Controller pattern. A Controller (code) requests data from a Model (database), and sends it to a View (page). Inexperienced developers will tend to stuff as much decision-making code (logic) into their controller, as its the way PHP used to work. Formally-trained programmers will emphasise the need to compartmentalise rules and decision-making into modular “black boxes” (e.g. services) so those 3 elements are kept as “clean” as possible.
The answer should demonstrate the applicant understands the basic structure of design patterns and the importance of not publishing spaghetti.
Good answer: injectable services, or packages. Controllers should be thin, and models fat. Views should rarely contain PHP.
How do you approach multi-lingual software where customers store Hebrew, Arabic, and Mandarin?
Most programmers develop in English, but the business’ customers might be elsewhere. A good development methodology is to anticipate different languages from the start, which may have different characters and a reverse direction. French has accents; Cyrillic has additional characters, and Asian languages have pictorial symbols.
The answer should demonstrate the applicant has a global business outlook and understands the difficulty in managing database translations.
Good answer: a multi-lingual approach is impossible to reverse-engineer so should be there from the beginning. Unicode is essential. Static information should be in language files, and an efficient database schema able to process different character sets needs a lot of time spent on it.
How would you go about storing categories or threads?
Categories are extremely difficult to deal with in code or databases because they can involve unlimited levels and exist horizontally (whereas a relational database works vertically). A hierarchy can expand to hundreds of subcategories, or a comment thread can go dozens of levels deep. A Nested Set (https://en.wikipedia.org/wiki/Nested_set) works like a tree, with branches and leaves: each row contains a left, right, and parent notation so it can be navigated.
The answer should demonstrate the applicant understands computer problems have been solved many times over with a formulaic answer to consult rather than their own hacky idea.
Good answer: using a nested set collection hierarchy. Or a NoSQL database.
How do you explain the difference between authentication and authorization?
Authentication identifies a user from the credentials they supply, and issues a user the means to prove the answer (a session cookie or token). Authorization determines whether a user has permission to do something AFTER they have been authenticated. A user can be authenticated but not authorized.
The answer should demonstrate the applicant understands basic IAM/IDAM principles.
Good answer: authentication means checking credentials, authorization means checking permissions.
Do you find writing tests time-consuming?
They are. In some cases they double development workload. Automated unit tests are essential to good development: they help you find errors before they emerge on production, provide a way to qualify modifications made actually work, and force programmers to think scientifically. Developers from a non-professional background or less formal aren’t as familiar with them.
The answer should demonstrate the applicant understands the benefits of testing and the nuances involved in allocating time to writing them in a productive, strategic way.
Good answer: yes, but they are crucial. It can be difficult to know how granular to be with them, and how to schedule them into the project schedule.
Should the developer create the database with migrations, or the DBA?
Database migrations and seeders are a mixed blessing. They enable programmatic control when creating a database and its content, but always descend into chaos. Small companies without a database administrator never use version control or schemas, meaning a mess inevitably develops which is impossible to fix later when it contains live data.
The answer should demonstrate the applicant understands database design is a specialist field needing specific management, and not their playground.
Good answer: if possible, it should be under the management of a DBA. If not, the database should be careful planned and documented in advance of code talking to it.
What do you think about dating sites’ use of ELO scores?
Zuckerberg’s “Facemash”, and Tinder, both started by using a competition scoring algorithm: the ELO Rating (https://en.wikipedia.org/wiki/Elo_rating_system). If you had 100 chess players in a room, it computes the “rank” of a player as they win or lose matches with other players during a tournament. Most algorithms do a math computation which arrives at a score, then sorted as a ranking in a league.
The answer should demonstrate the applicant understands the limitations of algorithms and their applicability in different situations.
Good answer: an algorithm is essentially a recipe. ELO ratings are zero-sum calculations where one person wins and the other loses. It does not take into account multi-player games, and it’s a dreadful way to approach relationships.
How do you approach keeping a socket connected to a different system?
PHP runs as a “blocking” singular request lifecycle for a maximum number of seconds. It receives a request, sends a response, and exits. The next time it starts again from scratch. Computer network sockets are the opposite: a persistent, always-open connection to another machine. Examples are using Websockets over HTTP for online chat, transferring files via FTP, online gaming etc. Keeping a socket open requires the script to hang, or be used asynchronously (using Swoole, etc). It can continuously drop the connection.
The answer should demonstrate the applicant understands PHP is a bad choice for working with sockets.
Good answer: i wouldn’t do that if i could help it. But if i had to, i would use an unlimited timeout or an async framework, and expect it to break every thirty seconds.
Which of the OWASP top ten concern you the most during your work?
Security always has to come first, but it always comes last. The top ten problems in web application security are well-known (https://owasp.org/www-project-top-ten/) and all developers should be aware of them. Understanding how, where, and when your application could be targeted requires developing a threat model.
The answer should demonstrate the applicant understands basic security concerns.
Good answer: the most commonly exploited are poor passwords, SQL injection, and XSS cross-site scripting, but these are relatively easy to mitigate if the team develops a threat model with a reputable pen-testing partner.
Which HTTP error codes do your exceptions generate the most?
Good engineering is defensive: it anticipates 29 error conditions as the norm, rather than the one success outcome as the default. Instead of a crash, an error should generate an exception which can be caught so the app doesn’t stop unexpectedly. APIs use standardised HTTP error codes. 400 means a bad request, 401 means unauthorized, 403 means forbidden, 404 means not found, 405 means sending a POST to a GET, 412 means something’s broken, 419 means too many requests, and 422 means you sent invalid data. The most common are going to be 401, 403, 404, and 422.
The answer should demonstrate the applicant understands how REST APIs work and is conscientious about dealing with errors.
Good answer: 404 for the web interface, but 401 and 422 mainly with APIs. It means a token wasn’t sent, and/or the data sent wasn’t right.
What’s your development setup?
Engineers all have different preferences and ideas about how to set up their own equipment, which causes a synchronicity problem. To get around that, you use virtualised environments that run identically to the deployment environment. We don’t use bundled stacks like XAMP or set things up in a customised way, because what works on your laptop may not necessarily work somewhere else. Development needs to be “portable”.
The answer should demonstrate the applicant has worked in a typical professional environment which will mirror its customer.
Good answer: Docker, Git, professional PHP IDE (e,g. PHPStorm) with debugging, and a professional database program (e.g. Workbench, DBeaver).
Which anti-pattern infuriates you the most?
An anti-pattern (https://en.wikipedia.org/wiki/Anti-pattern) is a dysfunctional or counterproductive habit development teams and companies exhibit. There are scores of them. The important part is to get them out.
The answer should demonstrate the applicant is aware of anti-patterns and need to confront them, rather than go along.
Good answer: any of them.
Do you prefer to roll-your-own or use packages?
Good software practice teaches the importance of modularization and reusability. You don’t write things twice or reinvent the wheel. There are a subset of engineers who are appallingly stubborn in a religious way about using other people’s code, and demand to write their own – even creating new frameworks. There are times when packages won’t work or need to be customised, but generally speaking, it’s faster to use pre-built code battle-hardened by others.
The answer should demonstrate the applicant understands the importance of compromise and applicability of packaging reusable components over their own ego.
Good answer: whenever i can, i like to use reusable components popular amongst developers, and create ones within the project itself.
How do you deal with storing data from different timezones?
This is a trick question to discover whether the applicant’s experience is parochial and based only in their own local area. Timestamps in a database are always stored in GMT/UTC (Zulu time), as in aviation, for their baseline, and converted when they are displayed to a user into their own timezone.
The answer should demonstrate the applicant understands how to normalise data.
Good answer: i store it in UTC.
How do you keep sessions alive in your REST APIs so people stay logged in?
This is another trick question. You don’t. Sessions maintain state, and REST is stateless. Each request is new and does not remember the user from the last request. Web applications which use AJAX (xHR) are simple HTTP requests made “inside” the page (i.e. within it) and simply use the same session cookie.
The answer should demonstrate the applicant understands how REST is designed to work and the difference between that and AJAX.
Good answer: You don’t. REST APIs use token-based authentication and don’t maintain a session.
What ways you have found to make PHP faster?
One developer, one machine is a bad recipe for performance. Only one user in an app when debugging has no CPU, RAM, or disk speed issues. But when it jumps to 1000 users per second, code doesn’t often scale. PHP can compiled into bytecode using OpCache, output can be cached, CDNs can host static content, it can be run asynchronously w(e.g. Roadrunner, Swoole), tweaked at the FPM level, receive more machine resources, and many other things, but it doesn’t make a difference if your code is badly written.
The answer should demonstrate the applicant has worked a scale and understands basic speech techniques, and the real performance factor is forethought to what you write.
Good answer: any combination of the above, but with the explicit caveat 12,000 database queries on a homepage won’t get fixed that way.