I am looking to use zope for a database driven web application. For the most part zope looks like a good fit and will definatly speed up development. However, there seems to be a major security issue for database driven sites. Lets take simple example, assume that each user has an id that is keyed to his 'stuff'. The zsql method must be passed this id to access his stuff. This is all fine and good, A script(python) method could provide this to the zsql method behind the scenes without any great issue. The problem comes in when the user attempts to access this zsql method from via its url. Going this route he could pretty easily supply and arbitrary id and get access to information that he shouldn't have. This assumes that the user is aware of or can guess the name of the zsql method. This isn't enough of a protection in my mind. I am sorry if I wasn't super coherent in this post, I had a very long day and late night last night. Thanks for the input, Eric __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com