With the Web taking off at a rapid pace, naturally, large numbers of people are jumping on the bandwagon. Who can blame them. As long as there are people equally eager to get "up on the Web", there will be work for all who want it. The trouble is, how do you avoid very inexperienced people who make all sorts of claims and who make an initial good showing but can't pull a growing site together after it starts to get large and complex?

My feeling is that the web development industry is highly populated with folks like that. Here's the thing. It is simple for pretty much anybody with a computer to run out to COMP USA (or whatever) and buy a web development software and create pretty nice pages. In fact, this is so easy, I don't understand why anyone would want to pay for this service in the first place. For a simple site many people who are only moderately computer literate have worked up their own web pages. If this is all that is needed, fine. Others have hired out their development and/or design work.

I have seen some wonderful looking graphical pages out there. But this is not an end in itself. What happens next is that after getting a little work and being successful designing COOL looking pages, someone approaches this developer with a project that (eventually) will turn out to be far more programming intensive that anyone had imagined. You DO know that HTML is not programming don't you. There is no logic with HTML, a web server just outputs whatever pages the user selects and the client browser proceeds to render the text or images.

In no time at all, you have a full blown software project on your hands and you need major league help. It needs to be planned and implemented so that it works and provides a solution to the problem at hand. More importantly, a commercial web site should be designed to handle more traffic than originally planned to allow for expansion. There are stories of methods used to get a commercial site running that were outgrown in only a few months of use. In this respect, those sites are both a success and failure all at once.

Horrendous performance can result if the database details are not handled by experts in large-scale data processing and OLTP (on line transaction processing). I am not trying to say that no one should get a chance to prove themselves and work their way up the techno-ladder. Just to be especially watchful of hype and babble. Don't let fancy printed material substitute for hard core knowledge. Here are some things to be demanding about lest you hire a junior Geek that talks up a good web site but ends up delivering an "Eighth Grade Science Project" (if they deliver at all)!

Questions to ask:

1. What operating systems are you an expert with? While there is not necessarily a single "best" OS to run a web site on, far and above the most popular platform is UNIX. The problem, a small amount of current developers are masterful with it. Make sure you are not handing a difficult application to people who really only know their way around PCs they will not be able to extract but a small fraction of what the server can do. MS Windows NT is probably second (and closing fast) in popularity for web hosting mostly because of its ease of use and well, it is Microsoft. Perhaps if the site is to run under that OS, experts with it are your best bet.

 

2. How many large commercial sites have you worked on? Is there a best answer to this? Chances are, a person who has done a wide variety of big projects is more experienced than another who has not (but this is not guaranteed though). Remember that the web is new, elder Statesmen even, have only had a few years to get up to speed. Make sure your potential developer has at least one or two large-scale commercial jobs to show you ahead of time. Don't accept just a promise. Ask for references and to see samples of work. Another good idea is to make your potential developer demonstrate skill by putting together a trivial prototype of the project

 

3. Can you explain the complicated aspects of them? o o Just because a person has their name in the credits does not mean they were the brains behind the project. Large projects are sometimes worked on by several people (Designers, Artists, Programmers). Grill the person about how the programs do their processing, if possible with other computer people with you. Use your best judgment (is this person really clear on the issues?). Don't just nod your head during the explanations, ask questions. It's for your own good.

 

4. What tools do you use to assist you with you work? Beware of someone who uses "nothing but" off the shelf software, especially the kind you can buy at any PC store. Real experts have favorite tools many or all of which are not main stream. Reason?... Main stream software from a technical standpoint is often watered down to make it easy for non-techies to use. Experts will be held back by such packages and refuse to use then. It is common for expert web developers to not even use a "Hypertext Editor", they know the mark-up by heart and prefer to enter all code by hand using an ordinary text editor (thus having complete control of the output

 

5. What are CGIs and what can they do that static HTML can't? Generally, web pages are static. This means they are the same each time they are accessed. The only thing that can cause them to be different is if the site maintainer actually opens the files for editing. Data-processing, especially handling fill-out forms and such cannot be done without more sophisticated method. CGI (common gateway interface) programs are the standard way of going about this. Soon client side processing (Java Script and friends) will become popular. I suggest staying away from this technology for about another year or so. It's just not well enough supported yet to invest money on. CGIs are used on the server to read data sent back from a client (web browser). Any one of number of actions can be taken with this data. Generally, some computations are done and HTML code is output by the CGI. This code will be rendered on the client. In this way, pages can be produced on the fly (search engines use this method). 90% or more of web sites don't have CGI requirements and, therefore, a much smaller number of people are fluent in putting these types of systems together. Some will say that this is where the line between average and excellent is drawn. I tend to agree.

 

6. Do you purchase most or your tools or are they free? Believe it or not, some of the very best tools are available free of charge via the Internet. A high percentage of the world’s best programmers have developed and used these tools. What is interesting to note is that with free software, there is not normally a formal support channel. The products are well documented but there is not phone support (for example). What this means is that one needs to be especially wizardly to work in this kind of environment. The learning experience is wonderful. Do you know that the most popular web server software "Apache" is free software. How about Netscape? Also free! (well... sort of). You can buy these products too and maybe even get a small handbook and a support line to call for hand holding. Real computer experts seldom need help solving problems. Favor people with this type of thinking.

 

7. Do you try always to achieve "State Of The Art"? State of the art is a common "mistake" made by some developers. It is fine to try to achieve a high-tech look on a customer's site. What's wrong with this approach is that many clients will not be able to realize the full potential until they upgrade their browsers, add plug-ins or whatever. Also, standards in the industry are way behind current state of the art. To be sure the web site will work for the largest percentage of clients, it is a very good idea to avoid the hype. Wait at least six months to a year after the introduction of a new feature (example frames, tables etc.) so it's supported by your visitors' application. A really good programmer can work miracles without having to rush out and try new toys as soon as they become available

 

8. What additional complexity does running SSL entail? SSL is a method of securing commercial transfers by using encrypted sockets (communication channels) to pass the data back and forth between browser and server. Normally a CGI program is running on the server, which will process some type of private data such as credit numbers. The data which the client enters into a form is first encrypted before being sent to the server. This way, the data is somehow intercepted, still it cannot be read. Many commercial web sites which handle online ordering desire this type of service. Not all web hosting services offer SSL servers (though, most do). Some hosting services will actually run two different web server processes on the host computer, one for non-SSL (typical hypertext transfer protocol), another to handle the SSL part. This makes the server configuration more complicated. I have even seen where a two different brands of server software was used for the same site. This is to be avoided at all cost. Running both SSL and regular mode servers further complicate sites where passwords are used to restrict access. The SSL adds another "Realm of Authentication" because it changes the URL slightly of a given page. Without care, users may have to login twice to gain full access. There may be additional changes for a server with SSL capabilities and there are other methods also being tried. SSL is the most though.

 

9. What makes you qualified in computer security? o o Security is important on web sites where there is actual data processing done (as opposed to dumb sites consisting of only static pages). Any time a form is processed, programs run on the host computer on behalf of the client. At time, if the programs are not coded in a secure way, it is possible to "trick" the program into doing things that it was not intended to. Imagine a CGI which processes credit card information being made to output the entire database of OTHER peoples registered information. This has actually happened. Few developers know enough about security to keep out determined hackers. Best to have a consultant who specializes in security evaluate the site before putting it on line. Make your programmer guarantee a reasonable level of security before contracting with them for the project. There is enough to be said for security to take up an entire article and, I feel so strongly about this that I just may write one myself.

 

10. Is it right to optimize for Netscape (or other)? o o I would say that no matter how tempting it is to include features in your web site that cater to a particular browser it is generally a bad idea to do this. Despite hyper-text being somewhat non-standardized, there are plenty of useful features in current standards to do most anything. Netscape and MS Internet Explorer would love nothing more than for designers and programmers to incorporate lots of their special extensions in new pages. This would help to insure that people purchase and use those browsers. Unfortunately this goes against the very soul of the Internet. The spirit of cooperation is broken by these special extensions.

More Questions & Points (contributed by others)

1. A simple database skill test Contributed by Chris Shepard. If it's possible to provide a working UNIX environment to your potential programmer. Have them construct a trivial database example using only HTML 2.0. o Provide a form to create, change or delete a record, perhaps as simple as Name, Address and Phone Number. o Use Shell, Awk, Perl, C/C++ or Java only. o Allow only an hour or two to get it working. This will be a simple task for any experienced CGI coder but will stop an ordinary HTMLer dead in His (or Her) tracks. Keep in mind that a simple working example is all that is needed.

 

2. Getting a page by Telnet Contributed by Michael Tilp. It is not difficult to contact and speak directly to a web server process on a host using a telnet connection. In this scenario, YOU ARE the browser. Valid requests result in data being sent by the server. Type: telnet www.some.website.com 80 o Type: GET /some-valid-path HTTP/1.0 Type: a-blank-line Not all web servers listen to port 80 but most do. The server will not make any indication of the established connection, it just waits silently to read a request. Client side (you) issue the same type of request a browser does. Page (or error message) will follow.

 

 

3. What sorts of questions does the Developer ask YOU? Contributed by Brian Foy. Clients should be wary of CGI developers who don't ask a lot of questions during the development time. Questions such as "what is the purpose of this program?", "what's the easiest output format for you to work with?", and "what's the real problem you want to solve?". I've seen developers who jump too quickly into the programming and finish the task the client gave, but didn't really solve the problem because there were really larger problems at hand -- that is, the problem the client asks you to solve is not necessarily the problem! There may be bigger issues of which the client is not aware (would he be hiring you if he was?). Consultants or developers should ask lots of questions about the concept, intent, and solution of a problem. Clients may also wish to check Deja-News to see if their potential developer; o asks lots of questions o answers lots of questions o some of both, or o not even present. If the developer is asking a lot of questions, especially on a basic level, beware! If the developer is answering lots of questions, do his answers make sense? Are they understandable? Does he communicate well and in a polite fashion? After all, this might be how he interacts with you on email.

Points about security and CGI error handling Contributed by Ram Samudrala. Security is a non-trivial issue. Even a complete OS has tons and tons of bugs in it that can be exploited. I don't think there is an "uncrackable" OS. So, while a client may demand security, it's non-trivial to provide it. My suggestion to people who use my programs are (1) to keep extensive backups, and (2) do some user authentication if it's important so you know who did what on your pages. The most important feature lacking I think in many CGI programs is error handling. If things go wrong internally (which it can, especially given memory limits and such), then the program should exit gracefully and report the error. I've seen a few applications that don't always do this. I think ONE test of how good a CGI programmer you are is based on how well you handle error conditions. Of course, this like security, is a loaded gun, but I think there should be reasonable handling of such conditions.