and investigating the possibility of spoofing as a registered user by url hacking with data from a registered user and using user_id of 0.
Thanks for that find.