> I would look at a simple solution as follows:
> Hard code a user prefix to the user name in the frontend application
> ie if the user name is TOM and the hardcoded prefix is ABC the the

actual

> user name in security.db is ABCTOM
> The user only ever enters TOM as the user name so if he tries to

enter TOM

> outside the permitted interface it will be an invalid user name
>
> Obviously you keep the prefix to yourselves
>
> reagrds Cao

I have used this trick previously and worked fine.
_BUT_ I used a salt on password value only, so that getuser() sql
function would still return a valid usernames. Username was stored to
a modification histories and columns.