Outsourcing code and how to minimize risks

by alv22
16 replies
Hi warriors.

I want to talk a bit on outsourcing PHP and give some tips on evaluating PHP code.

Many of you already have outsourced coding, or will sometime in the future. I'm a coder myself, but I've outsourced several projects due to a lack of time, and a couple of times I've been disappointed in the end. Either the whole process has been sketchy, the code has been ugly or I've just left with the feeling of being deceived in some way.

Writing PHP is deceptively easy. It's quite simple to hack together some code and see it working. But good code isn't just something that gives you the right results when you give it the right input.

Good code is something that behaves correctly when you give it bad input.


THE "THEORETICAL" PART:

How do I get my hands on this deliciously tempting "good code" then?


1. Ask for a code sample.

Should be obvious for anyone who's bought apples at the market, but in the digital world this is often skipped. Maybe you don't understand PHP at all? Doesn't matter. Ask for a sample.

Do not ask for a sample of the code you wish to order from the provider, but something from past works. Nothing big, just a small sample of some code the provider is proud of.

There's really nothing special that he/she's proud of? Ding, ding say the warning bells...

There's no code that isn't NDA'd or everything's licensed confidentially? This means no hobby projects or other personal interests in coding? Ding, ding, ding...

Asking for a sample accomplishes two things. You actually see a sample of what you are getting, and thus can evaluate it. But it also sets a bar, sends a message that you expect quality code, and will check the files out after the provider sends them to you - probably before the last payment.


2. Never ask for "just something that works"!

I've seen this on Elance and rentacoder time and time again. Someone posts a "quick and dirty job" on the site. Gets a hundred offers, accepts one - sometime in the future receives something that's way too dirty.

You can very well end up with something that works - or you might end up with something that looks like it works.


3. Paying a bit more for good code may actually save you money.

I've had to bill a client a lot more than I should have because of the terrible code I've had to rewrite. Modifying good code may drop my workload by half, and I will show this when I send you the bill.

Any future maintenance operations will be much faster, easier and cheaper if the code is good right from the start.

Also, knowing your code is of good quality relieves some stress. The more unknown factors you have with your websites creates uneasiness, at least in me. Security is something I don't play around with.


4. "This should be very easy."

Yes, some time ago a popular WSO on outsourcing recommended doing this. Right now, it's repeated to death and might not work as you think it does. As a coder, I HATE seeing this on a job title or in the first few lines of the job description.

You'd think it drops the bid prices. It might. But also you are luring in the people who only hunt for the easiest, quickest and dirtiest jobs they can find. You can see where this is going.

There's nothing wrong in saying you think "this should be an easy task". But don't advertise it in the title if you wish to keep the worst providers out.


5. Write as specific documentation as possible on what you want, before closing the deal.

If you don't know what you want, you can be sure your providers will not know what you want, at all. Giving them as much info as possible before they start makes it a lot more probable to get what you want, how you wanted it.

It can also lower the prices providers will ask you. If you tell me "this should be easy", without documentation it might very well be the opposite. If I see a well documented job description and feel the communication is honest, I KNOW if it's an easy job and will bid accordingly.

Also an important point to note: If a work assignment goes somehow bad, and you want out, a good documentation will make solving conflicts much, much easier. When the terms and goals are in black and white, it's much harder to weasel out by referring to "artistic differences".


THE PRACTICAL PART:

Let's get into the code. What to look out for?


1. Bad variable names.

If you outsource to a foreign country with a native language other than English, make sure the code is also written in English. I've had to fix code that had variables written in Hindi. Despite otherwise good documentation in English, modifying the code was slow and painful.

Testing for this is pretty easy. Open the file and start reading. Are the variables (words that start with a dollar sign) actual English words? Most of the variables should be understandable. See a lot of abbreviations or jumbled letters? Not good. $iterator isn't harder to type out than $i or $itr, but makes for much easier maintenance.


2. No inline documentation.

If you think that another person may ever touch the code, have your developers document the code properly. This doesn't just mean the readme.txt with your work, but inline documentation.

Random example (just a quick google result, no affiliates here):
PHP5 PDO Singleton Class

Check out the code example. See the red parts with lots of *'s? These are called DocBlocks - they are a form of inline documentation, and these parts tell the developers on each function what it does, what variables it accepts, what results it should return, and preferably, how you should use it.

Good programmers worth their salt always write inline documentation. There really aren't any good reasons not to have it. If "it's such a small program" and only took 5 minutes to write, it should have taken way less than 5 minutes to write documentation for it.

Here's the most important part: Good documentation is the best sign that the programmer himself knows what he's doing. Clear, organized heads write clear, organized instructions.


3. Bad indentation & filing.

Is the code indented well? In the previous example you can also see some good indentation. Is there enough space in between the code, or does the code look cramped?

Is the provider's submission one huge file, or is it separated into different files/folders? (This might not be relevant for smaller jobs, but keep your eyes open.)


4. SQL and XSS injection holes and bad database interaction.

Now it gets trickier. You have to know a whole lot PHP to see most cryptic security holes, but you can always check for the obvious signs of bad code.

Here are some... Actually, scratch that. I was going to go on a tangent on how to spot bad MySQL-queries and such - but really, there's no point.

Try and search "mysql_" in the program files or the database class file if you have one. You really shouldn't find these anywhere.

There's something called PDO, which stands for PHP Data Objects. It was added to default PHP installations in PHP 5.1, which is now 6 years old. It's a huge help in disabling SQL injection attacks and keeping the code neat.

I'm going to be a bit arrogant here, but: There are no excuses for not using PDO. No amount of sanitization and validation of your variables is ever going to be as good as prepared statements.

If your project is for a CMS, the plugin/theme should use the CMS's own functions and classes for database work. But if the project requires you need to work in your own database, make sure your developer knows how to use PDO!

Quick tip: Listing "Knowledge on PDO and prepared statements required" in your job description helps you weed out the worst providers.


5. Undefined variables and notices.

If you're evaluating a WordPress plugin or something similar, open the main plugin file and right after the first <?php -tag and possible comments, paste this and save:

Code:
ini_set('display_errors', true);
error_reporting(E_ALL | E_NOTICE);
This enables ALL errors to show. Notice-level errors are non-fatal errors that don't show up by default, but are potential bugs in your program. If there are any, they should now spring up when you reload your site. A notice is at best a sign of a lazy developer and at worst, a security hole.

Be careful with this on production sites! It most likely won't break anything, but if you have badly written plugins your site's frontpage might display a whole list of errors to your visitors while the above line is in your plugin. This is why you should have an empty WordPress installation to test your stuff on first. After checking for notices, remember to remove the pasted lines.


IN CONCLUSION:

Note that these tips don't tell you when code is efficient. Efficient code may well be ugly and difficult to decipher. But good code is also well documented and works when sent bad data.

If you have any questions, I'd be glad to answer them.

This is not a post to turn you off cheap providers, there are a lot of good opportunities out there. Many of these good opportunities are inexpensive. Go out and have fun!

(Five hours later, this really seems longer than what I first decided to write...)

Peace out,
Alfred
#code #elance #howto #minimize #outsourcing #php #risks
  • Profile picture of the author webpro4hire
    very nice post, I agree with this whole-heartedly. These are things any serious freelance programmer should have mastered and be willing to do.


    I would add a 5a. in the "theoretical" part:

    5a.

    In your documentation to spec the job, clearly specify milestones to be respected by both the provider and yourself. Also detail what happens when those milestones are not respected and the conditions that can /cannot alter a deviation from the schedule.

    Personally, I have a hard time with requesters that do everything in your post, do it religiously and THEY don't keep their end of the bargain. Many times when I bid on jobs and get the go ahead, the requester changes his requests with poor excuses and delays.

    If you want to be taken seriously by expert coders, the ones which WILL get your project moving along, then you must yourself, as the requester, be able to prove your commitment and determination to get things done.


    Otherwise, very solid advice.

    WebPro
    {{ DiscussionBoard.errors[3303245].message }}
  • Profile picture of the author alv22
    Hi WebPro. Thanks for the addition!

    Truly, providers are not the only who should stick to milestones. Setting a schedule and keeping to it is important. It keeps the pace up and above all, it keeps the quality up!
    {{ DiscussionBoard.errors[3343650].message }}
    • Profile picture of the author jminkler
      Originally Posted by alv22 View Post

      Hi WebPro. Thanks for the addition!

      Truly, providers are not the only who should stick to milestones. Setting a schedule and keeping to it is important. It keeps the pace up and above all, it keeps the quality up!
      Milestones? Are you serious? I don't even have time to blink on these ppl's deadlines. First I have to wade though piles of crap code to figure out where the last developer was getting the coke he was snorting, next I have to figure out how on earth I can mangle the clients code into the spagetti mess of garbage I was given to work with, then I have to please his "It needs to move 1px right requests" .. and then MAYBE ill get paid $20.. milestones .. lolz ok
      {{ DiscussionBoard.errors[3345020].message }}
  • Profile picture of the author jminkler
    Here is the deal, all this crap code, I contest, I perpetrated by people IN THIS FORUM (mostly). I have seen the gurus tell people to put in the request "It should be easy for someone who knows what they are doing" and how to undercut people and look, you have crap like "The Software System" now .. like outsourcing wasn't known about before. And im sure its chalk full of ideas on how to rip off the developers. I only laugh though, cause I have seen the code these people have running their BUSINESSES, taking ORDERS, CC Info, Emails personal information about customers ripe for the taking, no joke. It took me all of 2min to find 5 holes in another Warrior's site, and completely shut the ENTIRE site down while I was contracted to check the "User experience" and "Design". Most of you could care less. But I will tell you what, you are all getting what you pay for on tight deadlines and budgets, not to mention slow sluggish pages and huge bandwidth costs (if you have real traffic). I applaud this thread, but I think nothing will change. Just like nobody cares that you can create Apps for android for FREE without a coder, no you have to Buy a whole course on how to create software for iOS .. totally awesome! (android is killing iOS btw) As we speak, I see no less than 5 requests in my inbox to fix "some script that doesn't work" so keep paying the bad coders. PLEASE!
    {{ DiscussionBoard.errors[3345009].message }}
  • Profile picture of the author jminkler
    You also forgot copy and pasted code. I was on an "awesome" site last night with 50 different "category" pages (yes different files) that only had 1 or two characters changed, the Category ID. But, of course they wanted all the HTML changed. Luckily I had it in my heart to fix all this and make a function .. I wasn't about to change the same HTML on 50 pages :-p
    {{ DiscussionBoard.errors[3345032].message }}
  • Profile picture of the author webpro4hire
    jminkler .. sounds like you are dealing with some pretty bad clients!

    Now it's your choice to do the "move 1px to the right and get paid $20" jobs, if it's just too much trouble .. charge $100! they'll listen

    frankly, as you gain experience and a reputation, you get to choose who you work for and what type of projects you tackle. I know I wouldn't be caught dead fixing a patch work of code "just to get this working..." unless it's a client I've done work for in the past or the monetary reward is worth it (ie as in lots of $$$).

    One more thing ... please don't blast newbie programmers or ambitious clients, after all, weren't we all newbies at some point? Plus .. most people who try and make a living, who do not understand code and such, they might be in a hurry, it's our job to educate them on how to do things right.

    Cheers,
    WebPro
    {{ DiscussionBoard.errors[3345055].message }}
    • Profile picture of the author jminkler
      Originally Posted by webpro4hire View Post

      jminkler .. sounds like you are dealing with some pretty bad clients!

      Now it's your choice to do the &quot;move 1px to the right and get paid $20&quot; jobs, if it's just too much trouble .. charge $100! they'll listen

      frankly, as you gain experience and a reputation, you get to choose who you work for and what type of projects you tackle. I know I wouldn't be caught dead fixing a patch work of code &quot;just to get this working...&quot; unless it's a client I've done work for in the past or the monetary reward is worth it (ie as in lots of $$$).

      One more thing ... please don't blast newbie programmers or ambitious clients, after all, weren't we all newbies at some point? Plus .. most people who try and make a living, who do not understand code and such, they might be in a hurry, it's our job to educate them on how to do things right.

      Cheers,
      WebPro
      Naw, I haven't got a single contract on odesk/vworker/scriptlance or whatever that wasn't a guy who is doing to bid for somebody else and is sub-contracting me (ok so maybe here and there but mostly no). And you don't find that out till after ... Not much I can do, need the $. Experience? I've been doing this for almost 10 years, it's always the same song and dance.
      {{ DiscussionBoard.errors[3345074].message }}
  • Profile picture of the author jminkler
    I got one ... A few days before your coder is almost complete run this program (or have someone else run this program for you) against your site. SkipfishDoc - skipfish - Project documentation - Project Hosting on Google Code Then, cry.
    {{ DiscussionBoard.errors[3345083].message }}
  • Profile picture of the author mahesh2010
    Hi,
    Great information
    this would be helpful for me at the time of developing
    code as a developer thanks for Nice information
    {{ DiscussionBoard.errors[3345132].message }}
  • Profile picture of the author webpro4hire
    SkipFish is very useful. I would never put out a site / app without having a security audit performed (automated AND manual, when possible)


    I agree also about the freelancing sites. They have become ineffective for new comers (and been that way for years). If you haven't made a name for yourself early on on those sites .. forget it! it'll be next to impossible to successfully bid on interesting jobs.

    On the other hand .. that market is ripe for a (re)volution. I mean, who has time to cycle through 200K potential providers? Hence providers with established accounts win nearly all bids, then subcontract out to other providers.

    I do all the freelance sites, but do not put a lot of effort into bidding. Only when a project seems interesting and requires real technical effort will I spend the time to write out a bid.

    L8r,
    WebPro
    {{ DiscussionBoard.errors[3345167].message }}
  • Profile picture of the author alv22
    Originally Posted by jminkler View Post

    Milestones? Are you serious? I don't even have time to blink on these ppl's deadlines. [redacted] $20.. milestones .. lolz ok
    Drop the attitude. Were trying to be constructive here. You're probably going for the wrong jobs.

    And yes, I'm serious. Setting milestones has been very good for me. Above all, they keep me from messing up my own schedules. When there are 3-4 people working on different parts of the project, if you lose track of the project and delays start stacking on top of each other, everything will slow down to a crawl. Keeping everyone engaged to the project is important. If there are more than 2 people working on the same project, doubly so.

    (There's no point in setting specific milestones for very small jobs, but that should be obvious.)

    Oh, and thanks for the skipfish link. Useful.
    {{ DiscussionBoard.errors[3354019].message }}
  • Profile picture of the author LaTonya Johnson
    This information has been extremely helpful! Thank you all for your input;-).
    {{ DiscussionBoard.errors[4679451].message }}
  • Profile picture of the author DavidWincent
    Well, a very long read indeed. But it is extremely useful. It is a good practice to set milestones and whats more important is to achieve those milestones.
    Signature
    Webmaster Studio -A premier web design and internet marketing company in New York.
    {{ DiscussionBoard.errors[4911470].message }}
  • Profile picture of the author ussher
    Originally Posted by alv22 View Post

    Are the variables (words that start with a dollar sign) actual English words? I've had to fix code that had variables written in Hindi.
    hahahahah!!!! that is SOOO funny!

    PhpStorm has great re-factoring but I can just imagine your pain.

    Thanks for making my day.

    Great tips too.
    Signature

    "Jamroom is a Profile Centric CMS system suitable as a development framework for building entire communities. Highly modular in concept. Suitable for enterprise level development teams or solo freelancers."

    - jamroom.net
    Download Jamroom free: Download
    {{ DiscussionBoard.errors[4916732].message }}
  • Profile picture of the author drewmcntyre
    Thanks, thank you so much for sharing these tips online here on this forum. It is really informative post for me. Bookmarked.
    {{ DiscussionBoard.errors[4925642].message }}
  • Profile picture of the author MattVit
    Good post. You pick up on a problem of non-programmers posting programming jobs and not caring about how it's done - "just get it done". It's hard to tell them that this is important as they may feel it unimportant, so long as it does the job. As such, they'll always go with the cheaper provider.
    Signature

    {{ DiscussionBoard.errors[4926103].message }}

Trending Topics