Just remember when your sysadmin comes hunting for your head after a scriptkiddie has their way with your webserver that perhaps passing input from users with no validation at all ($user_id) through a shell (via the backticks two lines hence) wasn't the best of ideas.