can't trust the user's input, else they could just throw someone else's user id