Tuesday, May 16, 2006
We were interviewing for a mid-weight web developer position. I had advertised for someone with two to three years of PHP programming experience and the other stuff which I think is important (Passion! Detail! Your Own Ideas!) but which everyone just seems to skims over. The team leaders and I had liked one individual out of this group; he was confident and attentive. He seemed like the kind of person who would fit into the group.
So I called him in for a second interview. I use the second interview to do a technical test and ask the more serious questions that I think are a little premature for the first interview. The technical test is straightforward:
Create a user login/access rights system. Users need to have access rights to certain pages. A user must log in and be able to access all the pages they have rights to access. A user must not be able to see the content of a page if they are not logged in or if they do not have rights to see that page. You must provide:
- A rough process-flow diagram.
- A diagram showing your database design.
- A login page and php code to implement the above spec.
With this I provided an empty database, a few dummy pages with dummy content (products.php, contact.php, download.php), a machine with an internet connection, php and sql server documentation and a standard set of tools. The interviewee has one hour.
After an hour I stopped the interviewee to have a look at what he had accomplished. He had the basics of a login system (code for login successful/unsuccessful) in php. I asked him if he had a database design diagram and he drew a block with users and another block with rights and hesitantly drew a few lines between them.
"But how do you store what rights a user has?" I asked.
"Well here..." he says, tapping the rights table.
"But what if we need access rights for thousands of pages?"
"Um..." says the interviewee.
I moved on to the in-depth questions.
After he left, one of the team leaders and I took a look at his code. The HTML was odd; The parameters had mixed case, which stood out to me as not being hand-written. Not a requirement, I admit. But a small system like this doesn't need complex HTML. The PHP hadn't taken any kinds of rights management into account and didn't actually connect to the database. He had left the browser window open. And that is when dissapointment turned to shock and incredulity:
- He had copied the login form from the CMS he used at his current place of employment.
- He had copied the php code verbatim from the Internet.
I emailed him later that day to thank him for his time but to say that we would not be considering him for the position.