+972 52-548-6969
My morning dose of code
time to read 2 min | 288 words
Yesterday I had to interview two guys for a PHP job. One had about 8 years experience in programming (not just PHP) in general, one was a sysadmin. As usual, I ask interievees to solve some code excersize (in this case, save an email to the DB). That is the code that the guy with 8 years programming has written:
<?php $persone_name = $_POST["nm"]; $CityID = $_POST["ct_id"]; $message = $_POST["msg"]; $cn = mySQL_connect("127.0.0.1","root"); mysql_select_db("myDB"); mysql_query("INSERT INTO tbl_data (persone_name,city_id,message) VALUES ('" . $persone_name . "', '" .$CityID . '",'" . $message . "'"); mysql_close($cn); ?>
And here is the code that the sysadmin has written:
function save_to_db($host, $dbuser, $dbpassword, $dbname, $msg)
{
//this function saves sent by parameters data to database
$conn = new mysqli($host, $dbuser, $dbpassword, $dbname);
$id=NULL;
//preparing a query
$stmt= @$conn->prepare("INSERT INTO msg VALUES (?,? ,? ,? ,?)");
if($stmt == FALSE)
{
echo $conn->error;
$conn->close();
}
//binding data
$stmt->bind_param('sssss',$id,$msg['from'],$msg['to'],$msg['subject'],$msg['content']);
//escaping strings to prevent a SQL injections
foreach($msg as &$item) {
$item=$conn->real_escape_string($item);
}
// excuting a query
$result=@$stmt->execute();
return $msg;
}I got that code as the first thing that I saw when I opened my mail, and that was a good way to start the day.
I don't think that I need to say who will get the job, right? And remember, the first one was written by someone with 8 years experience.
That is for the next time someone accuse me from despairing from the state of programmers on the market.
Comments
Hey, it's crap, but it works.
I've once interviewed someone who was a had been a senior .NET dev for a few years, had extensive experience, design skills, whatever. She even had working experience in WCF and WF.
Alas, the poor girl couldn't write a console app in C#, that reverses a string.
WITH VS 2005 !!
I stopped her after about 20 minutes of desperate F11 strokes ...
I am not a PHP coder so forgive me for asking, but:
Why is he escaping the strings when he is using SQL parameter binding?
Apart from that, I once had to explain to a coworker (a programmer) what SQL injection is...
LOL. That so funny and reminds me of the last time I interviewed PHP developer (about 3 years ago now).
I never got to do them a test, but I would present them with some code. This would be an example of a simple page getting something from a Database and displaying. The thing would be full of errors and other bad stuff ranging from SQL injection vulnerabilities to simple syntax errors to bad comments to bad formatting etc etc. I think we counted over 20 obvious things.
My question would be "discuss". Very usefull as you could see how people approach it. Some would comment on the style, some on syntax, some on design.
One of the guys with an amazing CV looked at it for a couple of minutes and said "This looks pretty good, what do you want me to comment on". Me: "Really, just anything, errors, comments, bad design ..." Him: "No really, I can't see anything" Me: "No, reaaaaly, look some more" ...
So we ended the interview at this stage at which point he said "I know I didn't do very well in this interview, but I really am a good developer" LOL
I would not have read past line 2 for person with 8 years disregard for naming conventions - lower case and underscores for $persone_name, CamelCase for $CityID. And what is a 'persone' anyway?
Well, admin code is trying to be better but really isn't.
1) you don't have to escape mysqli query parameters if you state they are strings
2) his function tries to handle some errors, but does he really? Hiding a lot behind @ and not really acting to the result.
3) Why do you need a php coder anyway :)
Why are there many dollars in the code? Do Php developers always think in terms of money?
Why testing at all...
Describe them the real job they'll have to do, ask whether they can do it and how they would do it... etc. pp
These coding tests were crap especially when context is missing... Maybe your 8years experienced developer thought of a fast solution or any solution. It's a test not a real job with real considerations e.g. on SQL injections etc.
Maybe you like a nice interface to? With AJAX? Your testing is what you thing his coding is.... The comments were clutter and useless at all as they describe what i can read from the source... These are not good comments... the function name is shit... ok, i guess you got the idea...
or your interviewee present you an old project he has done...
But such textbook examples have not much value at all... There are better ways
Adre,
Would it surprise you that people lie in interview, or at best, tell a better story?
There are a lot of people that can do a talk the talk, but can't walk the walk. And I wouldn't write code like that ever, no one should.
The coding tests were not crap. A lot of coding that you do is from conventions that get hard wired into your brain after a long period of time. You simply don't think about which casing you use in your variable names after you've done it thousands of times. In the same way, if the person who gave you a code fragment had hard coded connection strings and was vulnerable to injection attacks you would suspect that other code he would write would be much like this as well.
Also some people do seem to be missing a major point here. This was a question to an interview. Shouldn't you make sure you have a good solution when you give an answer to an interview?
Think about the other things in this example as well. One person has demonstrable knowledge of PHP API changes in the past ... lots of years.
@Sanae In php the dollar signs denote variables.
Agree with Andre,
You know honestly, this is such a loaded BS test. If you ask someone to do something, and they do it, then what's the problem?
Seriously, the 8-year dude probably thought you were the one full of shit, copied some stuff off a website that had php scripts, and took 2 minutes out of his day and went on with life.
The other developer probably took 30 to 1 hour of time, had to look at the same code and formulate his own function, put in pretty comments and everything and there you have it.
If you ONLY asked for what you've said, then the senior guy did it in less time, less lines of code, and therefore saved the company that much more money. Sure it's a pile of shit, but what did you ask for?
Now if you asked for a reusable, and commented function that adhered to some sort of code standards then yeah, I'd think this was trash too.
When people ask me these sorts of questions in interviews, I'm the one that stops the interview. You're essentially looking for a key word, or lines of code that make me feel like I'm on a game show. If I don't say exactly what you want, I eventually fail the interview or get a lower salary because of it if you do get past a "gatekeeper".
When I interview people, I actually do ask a few simple questions "about code", and try to see what people are interested in. EVERYONE can learn something but not many people really want to. One candidate will go home at night thinking about code, reading blogs, and working on 4 different open source projects in his spare time? The other candidate wants to earn a paycheck.
Which would you choose, regardless the years of experience?
@Ayende:
I'm going to have to call you on this one: "And I wouldn't write code like that ever, no one should."
Are you saying you would write code like the sysadmin? I don't think so. Not even in PHP. I wouldn't put either of those code blocks in production.
But that wasn't your question was it? You asked them to put something into a database. You didn't ask for abstraction, testability, logging, maintainability, adherence to code standards, etc. So I think it's a little harsh to insult the 8 year guy's skills.
I'll go with Ayende with this. Coding calls for discipline. If you're given an interview question and just gives back a "do-what-it-takes" answer, that's an irresponsible knee-jerk reaction.
Do abstraction, testability, logging, maintainability, and adherence to code standards need to be specified, and explicitly required?
Don't they need to be the standard?
Or perhaps Ayende should have stated that he had high standards. That would be funny, because it would be scary if your interviewer told you "oh, I don't need fancy stuff, just show me you can make it work."
Obviously, Ayende isn't looking for Morts with 8 years of experience. He knows what he needs in his team -- so we can't take it against him to freak out at Morts.
both code may fail or succeed within this very limited view where the constraints on the code are very open... i agree with the others, saying that his code might be 'good enough' for a quick hackish tool or not 'good enough' for a valuable productive piece of good software engineering implementation practice...
So the sysadmin's code may also break if $stmt is false and nevertheless tries to bind data subsequently... But hey... it wins the conventions beauty award.. API and language specific things were grasped really fast by an experienced developer. And since todays APIs or Technologies were not long-living, I would set more on long-term knowledge enabling the developer to understand new, non-durable Technologies. A developer has to learn throughout his employment and typing code is not the main-activity of an developer. It is thinking about what to type...
And don't misunderstand me here: Style is important. Though, your test does not say much to be a own quality.
This way of code testing is a game show. Do your clients want to play such game shows with you? Or do you have a chance to present things: other clients/their benefits; other projects, stories, architecture/design considerations, artifcats in common (images, documentation, source code), whatever). So why do you not want to play a game show? Do you have to write short 10-liners for your client first to get the job?
Don't let people make stupid things. This is distressing and to some extent insulting. This is a non-cooperative style and i can understand people stopping such interviews. They give you their work and you pay them for their ...for giving their work...
"Would it surprise you that people lie in interview, or at best, tell a better story?" I would not be suprised, if you believe them... And there are not much people saying, given they know the real job (not just tests), they can do the job, even if they can't.... just make the consequences clear...
I would recommend some research in other methods... at least complementary... If you like adhoc code testing then at least done right.
Jon Limjap wrote:
"Do abstraction, testability, logging, maintainability, and adherence to code standards need to be specified, and explicitly required?
Don't they need to be the standard?"
the question is common, i answer common....
... there are much more quality attributes (performance? security? Time (to Market)? Cost/value/risk? and so on) and yes, they need to be specified since some attribtues conflict with others (e.g. performance vs. modifiablity/maintainability/abstraction)... So it at least priorities were necessary and if you really care for quality attributes (not just lip servicing) there is much more to it - starting on the requirements level (e.g. quality attribute scenarios).
"Everyone wants things cheap, wants them fast and wants them high quality. But everybody know that you can only achieve any two of them" (more or less by Ed Yourdon)
logging standard? how? (3rd party-lib, hierarchical, authentic (how much security?), echos?)...
It is not only what (e.g. abstraction) ...it is also how much of it and how to realize that much.... the code above could be done much more abstract but it doesn't make more sense for a 10-liner test-script....
"Don't they need to be the standard?" == Every car should drive.
@ Willie Tilton
"One candidate will go home at night thinking about code, reading blogs, and working on 4 different open source projects in his spare time? The other candidate wants to earn a paycheck."
We all are working for the paychecks, so all people do. If I met a guy who will try to assure me that money don't really motivate him I'd think that he is either a jerk or a lier. In both cases this candidate won't succeed. Regarding the code tests I think you should not rely on them, the trial will show the things up.
I think there's a lot to be gleaned from those samples, especially if you know what you're looking for, which I suspect @Ayende does.
The first guy has been coding for 8-years - 8 years. That's a long time. But yet he still:
Doesn't have a naming convention for his variables. $person_name (underscored), $CityID (title case), $message (lowercase). I think it took me 2-3 years to find and consistently use naming conventions I was happy with, it was a struggle but I CARED!
Uses SQL string concatenation. Perhaps PHP does take care of this behind the scenes to prevent SQL injection, I don't know. In an interview situation I'd expect someone to still use parameterized quries, or at least comment that they would in production code.
Writes messy code. It's an interview, a time to show off. Just as has recently been discussed on this blog, this code smells of broken windows, surely you'd want to make a good impression by tidying things up. Unless, you've never learnt to tidy up your code, or have never worked in an environment where tidy code helps maintainability?
All this points to a sloppy code who doesn't care much for his profession.
The 2nd sample looks like it's from someone who cares. For me, that would be considered a GOOD THING for tons of reasons.
Again:
Both code is crap.
the one of the 8years experienced in whatever and the sysadmins... but you get illusionate...
the sysadmin
writes useless comments (except the SQL injection note): $total = 3 + 3; // this sums up 3 and 3
breaks code if $stmt is false and he binds data though
closes the connection within the "error handler" but not at the end (he had create and configured the instance)
results nonsense (some people like command/query seperation too)
he didn't checked the function arguments, e.g. $msg
this is not error handling and not logging (echo... when using this function in a real environment or not?)
he separates args with comma and space and sometims with comma without space
the function name (save_to_db) does not say much without context (saving what?)
and so on
and he could also do it more abstract... instead of a Database he uses a Store or builds a MessageStore->add or a Message->save whatever... he also could seperate the configuration of the store from the saving action... but on what basis you judge this? There is no context... maybe the one or the other code is better if embedded in a project ...but did they know how their code is used? no... it just a test: just do something... they have done something.... the 8years guy doesn't try to fake a good program - you see immediatly it's hackish and not for real use.... the other one fakes with more or less consistent style. And maybe your examples were pimped by yourself - the 8years guy has too much shit in these few lines. But this is not important... If you say "8years experience" without more information and questions, you just think your own meaning into this phrase... or let us think it to polarise...
well, I don't know what developers you are looking for... but i guess in both cases i hadn't need a coding test to select them out or not.... If you look for cheap not even-good-enough code monkeys ...ok... coding tests might be important here....
@Comlin
"If I met a guy who will try to assure me that money don't really motivate him I'd think that he is either a jerk or a lier."
...or rich. Or well-balanced. Or they prioritize their spiritual side. Or...well the list goes on of course.
Please don't assume that we're all running by the same tick, because we're not.
Comment preview