Backend Junior - Technical Assessment

Candidate information

Full name

Email

Phone (optional)

Years of experience

CV / Resume Accepted formats: PDF, DOC, DOCX. Maximum 5MB

Knowledge questions

This PHP code has a critical vulnerability: `$id = $_GET["id"]; $result = mysqli_query($conn, "SELECT * FROM users WHERE id = $id");`. What is the problem?

Missing connection close with `mysqli_close($conn)` after executing the query, which causes memory leaks in persistent connection pools

The main problem is using the `mysqli` extension instead of PDO, which offers native prepared statements and more secure database abstraction

SQL Injection: the `$_GET["id"]` value is concatenated directly into the query without sanitization, allowing arbitrary SQL injection. Solution: use prepared statements with `mysqli_prepare()` and `bind_param()`

Missing validation that `$conn` is not null before executing the query, which would cause a fatal error if the database server connection failed

What is the difference between `include`, `require`, `include_once`, and `require_once` in PHP?

`require` throws a fatal error if the file does not exist (stops execution), `include` only emits a warning and continues. The `_once` variants prevent including the same file multiple times, avoiding redeclarations

There is no functional difference between them, they are synonyms maintained for backward compatibility with earlier PHP versions and can be used interchangeably

`include` is designed for CSS files and static assets while `require` is exclusively for PHP files with business logic

`require_once` is significantly slower than `require` due to internal file tracking and should not be used in production for performance reasons

This Python code has a subtle bug: `def add_item(item, items=[]): items.append(item); return items`. When calling `add_item("a")` then `add_item("b")`, what does the second call return?

Returns `["b"]` because Python creates a new empty list on each function invocation when the argument is not explicitly provided

Throws a TypeError because you cannot use a mutable list as a default value in a function signature in Python 3

Returns `["a"]` and `["b"]` separately since each function call operates in a completely independent scope with its own copy of the list

`["a", "b"]` — because the mutable default argument (`[]`) is shared across all function calls. Solution: use `items=None` and `if items is None: items = []`

What is the difference between list, tuple, and dictionary in Python?

They are identical data structures with different syntax, maintained for backward compatibility with earlier versions of the Python language

List is mutable and ordered (`[]`), tuple is immutable and ordered (`()`), dictionary is mutable with key-value pairs (`{}`). Lists for modifiable collections, tuples for fixed data, dictionaries for mappings

Tuple is faster than list in absolutely all use cases because the Python interpreter optimizes immutable structures at the bytecode level

Dictionary maintains insertion order only in Python 2; in Python 3 dictionaries are unordered and OrderedDict is needed to maintain order

This Node.js/Express endpoint never responds: `app.get("/users", async (req, res, next) => { const users = getUsers(); res.json(users); });` where `getUsers()` returns a Promise. Why?

The problem is using `res.json()` instead of `res.send()`, since `res.json()` cannot serialize Promise objects and gets stuck in an undefined pending state

The `async` keyword cannot be used in Express route callbacks because the router does not support asynchronous functions as request handlers

Missing `await` before `getUsers()` — without await, `users` is a pending Promise (not the actual data), and if the Promise rejects, the error is not caught and the request hangs

Missing `app.listen()` call at the end of the file for the server to start listening for incoming connections on the configured port

How does the Node.js event loop work if it is single-threaded?

Node.js uses multiple threads internally for absolutely all operations, including JavaScript execution and callback processing

Node.js cannot handle multiple requests simultaneously; it processes them one by one in FIFO order and each request must complete before serving the next

The event loop processes callbacks on a single thread, but delegates I/O operations (disk, network, DNS) to libuv which uses a thread pool. This allows handling thousands of concurrent connections without blocking the main thread

Single-threaded means Node.js can only process one request per second, making it unsuitable for applications with high concurrency requirements

This SQL query returns fewer results than expected: `SELECT users.name, orders.total FROM users LEFT JOIN orders ON users.id = orders.user_id WHERE orders.total > 100`. Why?

The `WHERE orders.total > 100` eliminates rows where `orders.total` is NULL (users without orders), effectively converting the LEFT JOIN into an INNER JOIN. Solution: move the condition to `ON` or add `OR orders.total IS NULL`

The LEFT JOIN clause is not compatible with the WHERE clause in standard SQL and produces undefined behavior depending on the database engine used

Should use RIGHT JOIN instead of LEFT JOIN to get all users, since LEFT JOIN only returns records from the right table that have a match

The problem is a missing composite index on `orders(user_id, total)`, which causes the query optimizer to discard results due to execution timeout

What is the difference between `WHERE` and `HAVING` in SQL?

They are completely interchangeable clauses that only differ in syntactic position within the query, with no real functional difference

`HAVING` is faster than `WHERE` in all cases because it executes after indexing and leverages indexes more efficiently

`WHERE` only works with numeric columns and comparison operators, while `HAVING` is designed exclusively for filtering text-type columns

`WHERE` filters individual rows before grouping (cannot use aggregate functions). `HAVING` filters groups after `GROUP BY` (can use COUNT, SUM, AVG, etc.)

When would you choose MongoDB over PostgreSQL and vice versa?

MongoDB: flexible schema (variable product catalogs, logs, semi-structured data), native horizontal scaling. PostgreSQL: complex relationships (e-commerce with inventory, finance), ACID transactions, complex queries with JOINs

MongoDB is always better for modern web applications because its document model is more natural for REST APIs and eliminates the need for migrations

PostgreSQL is only for legacy applications and inherited systems; any new project should exclusively use NoSQL databases for performance

MongoDB is a relational database with JSON syntax and PostgreSQL is NoSQL with document support, so their use cases are inverted

What is Redis used for and what data structures does it offer beyond simple key-value?

Redis is exclusively a simple key-value cache identical to Memcached, with no support for complex data structures or disk persistence

Redis is a relational database that operates entirely in memory, with support for tables, JOINs, and standard SQL transactions

Redis only stores plain strings and does not support any other data structures; for complex structures you need to complement with MongoDB

Redis is an in-memory store used for caching, sessions, queues, and pub/sub. It offers: Strings, Hashes, Lists, Sets, Sorted Sets, Streams, and probabilistic structures (HyperLogLog, Bloom filters)

What HTTP codes correspond to: resource created, validation failed, unauthorized, and rate limit exceeded?

200 OK, 400 Bad Request, 401 Unauthorized, 500 Internal Server Error — using the most generic codes available for each response category

201 Created, 422 Unprocessable Entity, 401 Unauthorized, 429 Too Many Requests — each code semantically communicates the specific situation to the client

200 OK, 404 Not Found, 403 Forbidden, 503 Service Unavailable — prioritizing the most commonly implemented codes in modern REST APIs

201 Created, 500 Internal Server Error, 403 Forbidden, 408 Request Timeout — combining success codes with server errors for maximum compatibility

What is the difference between goroutines in Go and operating system threads?

They are exactly the same; goroutines is simply the name Go uses to refer to operating system threads with no implementation difference

OS threads are lighter than goroutines because the operating system kernel is optimized to manage concurrency more efficiently than a runtime

Goroutines are green threads managed by the Go runtime: ~2KB stack (vs ~1MB for an OS thread), multiplexed onto few OS threads (M:N scheduling), and their creation/context switching is much cheaper

Goroutines cannot run in true parallelism, only concurrently on a single core; for true parallelism native OS threads are needed

Coding challenge

Develop a REST API with JWT authentication that manages a complete CRUD for "projects". The API must include data validation, consistent error handling, and pagination on listing endpoints.

Requirements

JWT authentication (register, login, route protection)
Full CRUD for projects (create, read, update, delete)
Input data validation with clear error messages
Pagination on listing endpoint (limit/offset or cursor)
Consistent error handling with appropriate HTTP codes

Examples

Input: POST /api/projects { "name": "My Project", "description": "Description" } with header Authorization: Bearer <token>

Output: 201 Created { "id": "uuid", "name": "My Project", "description": "Description", "createdAt": "2024-01-15T10:00:00Z" }

Input: GET /api/projects?page=1&limit=10 without token

Output: 401 Unauthorized { "error": "Token not provided or invalid" }

Accepted technologies

Node.js + Express/Fastify
Python + FastAPI/Flask
PHP + Laravel/Symfony
Go + Gin/Echo
TypeScript + NestJS

Solution submission

Repository URL * Supported platforms: GitHub, GitLab, Bitbucket Enter a valid repository URL (https://github.com, gitlab.com, or bitbucket.org followed by owner/repository)

Backend - Junior