PHP Interview / Test

oo7ml used Ask the Experts™

I'm currently looking to hire two additional PHP developers on my team.

I've interviewed quote a few which have good experience, and they talk a good game... however it's hard to know how good they actually will be until they are hired.

Can any of you recommend additional questions or maybe a test to give each candidate in order to assess them further?

Thanks in advance for your help.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013
>  it's hard to know how good they actually will be until they are hired.

Probably true of any hire.  :)

I have only worked for myself or with one other person and may not be the best to come up with a solution as far as the best interview question. But I do find it is easy to determine a candidate by asking how they would do a particular task I am very familiar with for both logic and actual code. Sometimes they may come up with a better idea and sometimes from that answer you know they are way off base.

It's good to have a consultant help determine answers and you have built in consultants here.  You can look up some solved questions here and even filter on a particular Expert that you trust by clicking on advanced search from that link and the 2nd filter option is to include one or multiple Experts.

You can ask similar questions and compare how your prospective hire answers to your favorite Expert.
Dave BaldwinFixer of Problems
Most Valuable Expert 2014
Ask them what they do when they don't know the answer.  Some of the top PHP experts here keep sites like open in their browser while they are coding.  PHP has 1000's of functions that are sometimes quirky in their implementation so you just about have to look up the correct syntax.  Other languages are similar.  Perl's CPAN repository has over 25,000 functions last time I looked.  There is just no way that you can remember all of it.
Jeffrey Dake Senior Director of Technologyy
I am more of a Java hiring manager than a PHP, but what I have learned is to ask specific questions that you think a developer on your team should know how to answer.  Usually specific questions about the language will give you a better feel on how well they actually know the language, or at least you will understand how that employee works.  Ask questions like "Can you extend a Final defined class?" or "What is the difference between a Get and a Post request?"  In my experience asking a specific question about the language and then getting more broad if they can't answer it will usually give you a good feel on what they can actually do.  It is real easy in an interview to say, yes I know php I have been doing if for years.

Another good question to ask is to have the person describe in detail projects they have worked on.  Not just the details of what the project did, but ask them how they used php to solve it.  What functions did they use and specifically what code did they write.

Hope this helps at all.
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Ask about security programming experience.


QUESTION: Have them (in front of you) write out a bit of code that demonstrates a basic SQL injection vulnerability on a string field and ask them to demonstrate two different ways how they would fix the issue.

Vulnerable query:
$db->query("SELECT * FROM Contacts WHERE Name = '" . $_POST["name"] . "'");

Fix Option #1 (generic data sanitation):
$db->query("SELECT * FROM Contacts WHERE Name = '" . preg_replace("/[^A-Za-z ]/","",$_POST["name"]) . "'");

Fix Option #2 (database-specific escaping):
$db->query("SELECT * FROM Contacts WHERE Name = '" . $db->real_escape_string($_POST["name"]) . "'");

QUESTION: Ask them to list out other security issues or practices that they know about and take into account when programming.

ANSWER: A handful of examples: XSS attacks, avoiding custom-built encryption, salting hashes, URL parameter manipulation, replay attacks, not storing credentials in URLs (to avoid them showing up in server logs) never disabling SSL certificate validation on cURL calls, knowledge of PKI (private/public key).


QUESTION: Let's say you're building a script that makes a call out to a remote HTTPS server but it keeps coming back with an error about failing certificate validation. How would you fix it?

ANSWER: There's a couple things that can be done, but what you DO NOT want to hear is an interviewee say that you can just disable certificate validation (set the "VERIFYPEER" option to 0 or false). That's a really bad answer. A correct answer will probably entail adding code to point cURL to a Certificate Authority (CA) bundle or to specific certificates.


QUESTION: What's the difference between SSL and TLS, and can you talk a little about the versions?

ANSWER: A correct answer will suggest that TLS is just a newer version of SSL. The order in which it goes is SSL 1.0 -> SSL 2.0 -> SSL 3.0 -> TLS 1.0 -> TLS 1.1 -> TLS 1.2 -> TLS 1.3. Ideally, the interviewee will also know that everything from SSL 1.0 to TLS 1.0 is now deprecated and the new minimum standard nowadays is TLS 1.1, but most systems use TLS 1.2. The TLS 1.3 protocol is not completely stable / released yet (there are draft versions out there but everyone is still on 1.2).

I would not expect interviewees to know much more than that, but if they demonstrate an understanding that ciphers are different from protocols or things like that, that's a pretty good sign.


QUESTION: Name two things a private key can do and two things a public key can do?

ANSWER: Ideally, they'll say that a private key can (#1) decrypt data and (#2) sign data. A public key can (#1) encrypt data and (#2) verify a data signature.

QUESTION: What's the difference between a public key and an SSL certificate?

ANSWER: The ideal answer will talk about a certificate being a "container" for the public key and that it contains additional information about that public key, such as its issuer (and it's usually signed by a private key to validate its authenticity).

QUESTION: What's a self-signed certificate and when would you use one?

ANSWER: It's an SSL certificate that has signed itself (so it isn't "issued" by a different certificate). You'd typically only use a self-signed certificate in internal environments such as development/testing. Anyone can generate their own self-signed certificate for free, but when used on a web server, it will throw browser warnings unless it is added to a trusted CA store on each workstation that visits a secure page on the server. So it's not good for public-facing web pages, but it's good for cutting costs internally (avoiding buying expensive certificates for internal development purposes).


QUESTION: Let's say a PHP script runs a query and it's running pretty slowly. The code looks like this:
if($rs = $db->query("SELECT * FROM FileAttachmentData WHERE FileName LIKE '%" . $filename . "%'"))
  while($row = $rs->fetch_assoc())
    $uploader_name = $row["Uploader"];
    $upload_date = $row["UploadDate"];

Open in new window

Name some of the things you would investigate or change in order to speed up this code.

ANSWER: Ideally, they'll cover a few different things, and if they ask you whether the table contains binary data or blobs, then that's a good sign they're on the right track.

#1. Change SELECT * to SELECT Uploader, UploadDate to avoid selecting columns that aren't even used by the code, particularly any fields that contain large amounts of data.

#2. Check the indexes on the FileAttachmentData table to see if the FileName column is indexed.

#3. Use a LIMIT or query by a primary key or a specific filename (instead of wildcards) to avoid selecting undesired rows of data.

#4. Perform a DESCRIBE or EXPLAIN on the query to see how the database is executing it. This is often an optional answer which is connected to answer #2.


QUESTION: What are some major differences between InnoDB and MyISAM?

ANSWER: There are a lot of differences, but ideally one of them will talk about InnoDB using row-level locking while MyISAM uses table-level locking (which often makes InnoDB a better choice for tables being used a lot by multiple people at the same time). Another one you probably want your developer to know is that InnoDB allows transactions. Again, there are a lot of other differences, but those 2 are going to be important to developers doing DB work.

QUESTION: How many fields can you have in one table?

ANSWER: This might be a "trivia" question for developers, but it might be important to you if you have big databases with wide tables. The technical answer is that there's no specific limit on the number of fields, but rather that a table has a limit on the number of bytes that can be in a row, and each column/field in a table takes up a different number of those bytes. A good way to explain it is that you might be able to fit 1000 children into a gym or 50 cars (or 25 cars and 500 children). So it's not a specific number like 1000 or 50 but rather that the gym has a fixed amount of space and it all depends on how much of that space is taken up by each field.

QUESTION: When would you use a DATETIME field to store a date and time versus simply storing a UNIX timestamp into a numeric field?

ANSWER: The UNIX timestamp is a 32-bit number that has a limit range, traditionally starting at the beginning of 1970 and going until the year 2038. So if you needed to store something like a birthdate of someone who was born before 1970 or maybe a far-off expiration date (e.g. a passport expiring in the year 2040), you'd probably want to use a DATETIME field. The UNIX timestamp can be useful in specific, limited-range scenarios, though, and is not timezone-specific. The DATETIME field values are also easier to read when you're just working directly with the database.

QUESTION: What timezone are DATETIME field values stored as?

ANSWER: The database server's timezone is the implied timezone, although timezone is not currently part of that field, so it's usually up to the code to handle timezone calculations.


QUESTION: Let's say you have a form that has a name text field and then uses Javascript to dynamically add new text fields to the form each time a button is clicked. Each new text field lets the user put in one of their favorite things. How would you name the new "favorite things" text fields so that the resulting $_POST array looked like this:
$_POST: Array(
  name => John Smith
  favorite_things => Array(
    [0] => "ice cream",
    [1] => "basketball",
    [2] => "quantum physics",
    [3] => "pokemon"

Open in new window

ANSWER: Using square brackets in input fields will set up the sub-arrays as desired, like this:
<input type="text" name="favorite_things[]">
<input type="text" name="favorite_things[]">
<input type="text" name="favorite_things[]">
<input type="text" name="favorite_things[]">

...or if the interviewee wants to be explicit...
<input type="text" name="favorite_things[0]">
<input type="text" name="favorite_things[1]">
<input type="text" name="favorite_things[2]">
<input type="text" name="favorite_things[3]">


QUESTION: Show examples of object-oriented PHP that include: a parent class, a child (extended) class, constructors with parameters, usage of private, protected, and public scoping, at least one magic method, and namespaces. Also include a bit of code at the end that makes use of the classes AND a line of code that tries to INCORRECTLY access either a protected or private class property.

ANSWER: If it's up to them, the answer could be widely varied, so you may need someone to validate that all the requirements are met.

QUESTION: Let's say you had a PHP script at /web/parent.php that included /web/modules/child.php and the child.php file simply has the following 2 lines of code:
echo __FILE__ . "::" . __LINE__ . "\n";

Open in new window

What would be the output of that child.php script?

ANSWER: __FILE__ returns the full filename (including path) of the current file being executed, and __LINE__ returns the line number, so you'd see:

If they also provide information demonstrating a knowledge of other magic constants (there are many), that's a good thing.

QUESTION: Name two different ways you could load an XML file or string in a way that would make it easy to extract data from some of the inner elements?

ANSWER: There are a few ways, but the most common ways are the SimpleXML extension, or the DOMDocument class (part of the libxml extension) or the basic XML parser (xml_parse() functions).


QUESTION: Explain the difference between Unicode and UTF-8 and UTF-16 and UTF-32 and ASCII, and why would you use one over the other?

ANSWER: The answer will vary a bit, but ideally they'll point out that Unicode isn't really "different" than the UTF-... encodings but is rather a standard / system for encoding (e.g. UTF-8 is Unicode, UTF-16 is Unicode, and UTF-32 is Unicode). Unicode itself is a system that is capable of rendering just about any character for any language by using one or more bytes.

Ideally, they'll point out that UTF-8 is typically the most efficient encoding for most purposes, because it can store most common characters with a single byte and only uses multiple bytes for special characters. It uses anywhere from 1 to 4 bytes.

UTF-16 starts with a minimum of 2 bytes for every character and can handle the vast majority of characters with just 2 bytes, rarely having to exceed it (but when it does, it uses 4 bytes). This can be more efficient than UTF-8 in situations where the MAJORITY of characters would take 3 or 4 bytes in UTF-8, since UTF-16 can often get away with just 2 bytes.

UTF-32 uses 4 bytes for every character and is RARELY used (relative to UTF-8 and UTF-16).

ASCII (they might call it ANSI) only uses a single byte and has a variety of spin-off encodings like ISO-8859-1 or Windows 1252 that can represent up to 256 characters (many of those are not printable/visible characters, such as characters that used to make the PC speaker beep). So it can sometimes efficiently store some special characters if they're common enough (e.g. the ñ character in Spanish is covered by several of the spin-off encodings), but it's pretty limited overall.

QUESTION: What's the difference between utf8_encode() and utf8_decode()?

ANSWER: The utf8_encode() function will take one of the ASCII-spin-off encodings like ISO-8859-1 and try to encode any special characters like ñ to their UTF-8 equivalent. In other words, it tries to encode ASCII-type content as UTF-8 content, which is useful when you're migrating an old system (where special characters are stored in ASCII-type encodings) to a new system (which probably uses UTF-8).

The utf8_decode() function is the reverse - it tries to convert any special multi-byte UTF-8 characters into their single-byte equivalents in ASCII-type encoding.

If you want to read more about this multibyte stuff and come up with additional questions, I have an article on that:


QUESTION: Let's say you're using Git source control and you have pulled a repository from a remote server, checked out a branch and made some code changes. How would you get those changes back to the remote server?

ANSWER: The basic three commands you're looking for are going to look something like this:
git add <filename or a period>
git commit -m "<commit message here>"
git push

There are variations on how to do it, but they should be somewhat similar to the above 3 lines.

QUESTION: What's the difference between encoding and encryption? Provide an example of each.

ANSWER: Encoding is simply storing the original content in a particular format, and anyone that knows the encoding can decode it without any special access or knowledge - all they need is the right tool/function. An example of this would be Base64 encoding.

Encryption actually changes the data into a form that cannot be accessed without some kind of special access, such as knowledge of a password or possession of a private key. An example of this would be AES encryption.

QUESTION: What's the difference between symmetric and asymmetric encryption? Provide a common example of each.

ANSWER: Symmetric encryption means that encryption and decryption are both handled using the same special key or password. So if you can encrypt the data then you can also decrypt it. An example of this would be a ZIP file that is encrypted and decrypted using a password.

Asymmetric encryption means that encryption is handled one way and decryption is handled another. An example of this would be public/private key encryption (commonly used in HTTPS).

That should hopefully identify some of their more advanced areas of knowledge. Good luck!

I should probably turn that into an article...
Some of the top PHP experts here keep sites like open in their browser while they are coding.
Hehe, too true. I feel like I always have 2 or 3 tabs open to pages at any given point.

My browser tabs


Wow... this is all amazing stuff, thank you.

I will review in detail over the weekend.
NerdsOfTechTechnology Scientist
Of course, you could outsource the experts from EE with Gigs or 1:1 tech help on a need-to-need basis without all of that overhead :)
NerdsOfTechTechnology Scientist

total 700 to gr8gonzo for the article-worthy answer. 75 points to other experts.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial