i use often scripts for education purposes - to upgrade my skills/knowledges.

once i get my hands on something usefull, i use it to tutor myself.
I seldom find a script that will suit my needs 100% or my clients needs 100%. Almost all scripts require modifications and alterations in their core to fit into my projects.

But in case i find a usefull (copy/paste) script....
then you are correct... i use it blindly... as it is, no thought into it, no code changes (so far this has happened 2 times, both for forum scripts).

like you, im very skeptical when using code from other people, except if i really know and trust the person and his/her abilities. usually, i prefer to write my own stuff. that way i get more out of it and better debugging if issues should arise. but thats just a personal preference and shouldn't deter anyone from using open source stuff.
now with that being said, im not against open source stuff. in fact do use open source currently. i use a content management system call PostNuke. it was forced upon me since my company was already on the system and they did not want to get off it. so i had to stick with it and learned to live with it. this free os had a profesional website and very detailed sections to help anyone learn and work the system. furthermore, it has a big forum for anyone who has questions kinda like this one. very helpful btw. i'm not advertising to you guys, but i'm just stating that if the producer of an OS has this kind of support and reputation, maybe it deserves a second glance.
so in short,I guess it depends on the OS and on the developer's preference.

Good topic!
Indeed some are excellent
But most are bloated with so much functionality (to please users) that they too often allow somewhere “a way in” (example that well known forum –offered by most ISP- that every other month is hacked)

Further I found that none of them really meet my requirements, so it calls for tons of modif, that why
I actually rely only on my own stuffs but for carts, I won't take a chance and always purchase a brand that has passed strict security tests.

Greatest use of open src: I love performing on them a “post mortem”
And discover a bunch of new solutions and ideas
For example recently I found (cannot even remember where) a very nice and easy way to make available BBcode.

But if you are talking about open source then surely that includes php as well (although you did clarify your statement with your last 3 words)?
So are you saying that you dont trust php from a security standpoint?

I agree that scripts found on the web and blindly used are not good for your security. As if you dont understand then you dont know the problems with the script. However I would have to disagree that PHP, PERL, Apache, Linux or any of the other large professional open source distributions have any more security holes in than a closed source distribution like Windows. With a larger number of people looking at the source for PHP the bugs and security holes get found quickly, reported and (hopefully) fixed. Windows never gets rid of half of the problems, it gets upgraded and the problems start again.
It may be a little unfair to pick on windows, however it is the largest closed source distribution I can think of, so it is a good example.

So are you really saying open source is bad, or that non-professional software is bad? As there are plenty of rubbish closed source bits of software as well ;)

>> So are you saying that you dont trust php from a security standpoint

not at all I very much trust PHP but I just don't trust any programmers, even myself. I especially don't trust anyone who uses the word secure while explaining anything in regards to computers or software. I was referring to software created with PHP as opposed to PHP itself.

I guess I could argue that the PHP has helped lower the threshold for programming and has caused a lot of garbage to be quickly adopted.

I don't really trust any software, I figured people asked for software in here enough I could add PHP to the title so I could post it in here. ;)

I agree that open source software is a major security risk. The problem is that for most webmasters, once the site is made it is left. That doesn't fit well when there are footprints which will point hackers to published exploits.

I'm sure that the average open sources software has much fewer security holes than the average bespoke script; the difference is that it's a lot of work to find the holes in the bespoke script as compared to the open source script which is frequently hacked entirely automatically and in bulk.

Open source projects, regardless of language, have to reach a certain level of "maturity" before they can be trusted. Also, it's best if they have more than just a couple programmers contributing to the project. The bigger ones have folks who focus on security, so those have some level of oversight.

Closed source software does have a security bonus... attackers can't see the programmers exact mistakes then exploit them. They say security through obscurity is a bad thing, but frankly, it still helps.

On the flip side, not being able to see the programmers mistakes doesn't change that they exist. Open source's security "weakness" is also it's security strength... more eyes means more people can find and report mistakes. Over the lifespan of an open source project, this makes for more secure software. However, a new project or a project with very few contributors will never see this benefit.

I agree that as PHP is an easy to learn language it suffers from a lot of poorly written scripts.
The reason why we know about the poorly written scripts is because in an open source community people are more willing to help each other and show scripts (the number of posts on this forum is a testament to that).
So the number of poorly written scripts that people see is larger for a language like PHP or javascript as there are a lot of people who can write it and these scripts are available to the public. We have no idea how bad a closed source script is...until it is to late.

As the open source community are willing to help each other with scripts we expose ourselves to people that may not actually know anything. This is a risk that people need to accept when they ask for help, as there is no guarantee that a person that has been coding for years will not have a bad day, or worse hasnt been doing a poor job for all of those years. Just a search on the web for all of the people using add_slashes instead of mysql_real_escape_string proves the number of people that could be doing it better (or a search for the number of times the same has been mentioned on this forum).

I'm ex-military so have been involved with security of a different nature; and there is (ok, should) always a backup plan for what happens when the security fails. As it is inevitable that with enough time any amount of security will fail (either through bad luck or poor planning), the problem then is recovery or minimizing loss.
So its not just software where the concept of 'total security' is a problem, its life in general...as there never seems to be a backup plan.

I do tend to trust open source php software, most importantly, the open source nature of it allows it to be scrutinized more so then closed applications. I use the majors, wordpress, joomla, drupal, and I trust that enough people have contributed and modified to the point where its safe to use, outside of hackers working to attempt any exploits, which is true in open source as well as proprietary software.

Open, Closed or for the matter “whatever-script” are all in the same bag
The problem is not the script but the user that has not a sufficient knowledge to asses the d-loaded package.

How many times @ WebmasterWorld do we see someone asking for help with a statement similar to “I found it on the web; but it does not work!”
And knowledge is not enough, even what works today might not tomorrow, nowadays knowledge consists in trying to keep oneself learning more, reading more etc.., the web was an easy proposition years ago, no sql injection, no ID stolen etc…
For example I am in the process of rewriting just a whole bunch of scripts to provide a flood control.
I bet a bunch of us haven’t assess that risk yet!

henry0 brings up a good point. Whether software is open source or closed source makes little difference. What really matters is how the code is managed.

Security threats come from:

Software with downloadable demos

Open source software

Software which the user installs on his own server

In my opinion, you are safer to stick with one of:

Bespoke software created to your specifications just for you

Software which is only ever installed on servers under the sole control of the creators

Software which is so expensive that very few people have it

Software which is so specialised that very few people want it