I am setting up a website for students of a school, which must include a schedule page which will show a calendar with events populated by feeds from various teachers’ calendars. After trying out a variety of scripts and tools made for showing calendars, I finally hit upon a very shoddy, hacked-together way of doing it, and I want to know if theres any specific things wrong with my implementation.

My requirements from this calendar are posted in a previous question
This is how my implementation is gonna work:

The teachers make their schedules in their own calendar programs and make those feeds available in the iCal format. A common Google account for the school subcribes to all these calendars, and so gets read only access to ALL the teacher’s schedules in school.
Google Calendar has a feature that lets you select some of your calendars, and then get the html code for an iframe to embed on your website, so that visitors to the site can see what events are coming up. When I experimented around with the options in the Google ‘Configurator’, I found that by simply including certain codes in the url called for the iframe contents, you could change which calendars were visible. These codes, or calendar ids, are clearly displayed in the settings for each calendar. Thus, my final solution is thus:

For every student, there is a record stating which courses he has taken, and hence which calendars he should be shown. With some SQL magic, I can retrieve the calendar ids from a pre-prepared database of all the calendar ids, and then generate the correct url for the iframe using php, and display it.

I hope that wasn’t too convoluted to understand. Now can anyone tell me if there are any inherent security flaws or bad programming practices etc in this. Something about the whole idea of dynamically generating urls, using iframes, using a common google account etc just screams ‘Mistake!’. Can someone tell me if this is an ok way to go about it, or is there some problem with it?