REMOTE_USER can be trusted as long as you also ensure that no one
else on the box can execute your script directly, either from the command line
or from other CGI programs.
If you are using mod_perl there's an API callback that gets you the
same information stuffed into REMOTE_USER. In fact, you can even
get the password used as well. {grin}