Instead, have Zope provide you the name of the user from its authentication machinery. That's *much* harder to spoof.
To get this, cook up a Python script called get_user and use this for the code:
---- from AccessControl import getSecurityManager return getSecurityManager().getUser().getUserName() ----
Now include a call to get_user() when you need to pass in the username as a parameter to your query.
Thanks! I don't know why this didn't occure to me. It does however make good sense. Thanks for the info, I do have one more question though. Can I add to the user information? At some point I will need to look up the users numeric id to actually query the user data. I seem to have read something about attributes in the past, I may have to dig that info up. __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com