well, aren't admins also supposed to be allowed to inject SQL? that could easily modify any tripcode. The point is you will have to trust admins, anywhere on the Internet