在我的网站上实施日历的方式有什么问题吗? [英] Is there anything wrong with the way I'm implementing a Calendar on my site?
问题描述
我为学校的学生设置网站,其中必须包含一个日程表页面,其中会显示包含来自各个教师日历的Feed的活动日历。在试用了各种用于显示日历的脚本和工具之后,我终于碰到了一个非常粗糙的,黑客一起的做法,我想知道我的实现是否有任何具体的错误。
对于每个学生,都有一个记录,说明他采取了哪些课程,因此他应该显示哪些日历。有了一些SQL魔术,我可以从所有日历id的预先准备的数据库中检索日历id,然后使用php为iframe生成正确的URL,并显示它。
我希望这不是太容易理解。现在任何人都可以告诉我,如果有任何固有的安全漏洞或坏的编程实践等在这里。关于动态生成url的全部想法,使用iframe,使用常见的google帐户等只是尖叫'错误!
实际上,这是一个很好的方法,我认为你的解决方案有潜力是非常安全的。使用单个Google帐户将只读日历收集到一个地方只是一个组织快捷方式。只要日历本身是只读的,您的单个帐户就不会包含任何尚未公开的内容。
生成网址是完全合理的,只要您合并你之前已经清理过的字符串。由于您的数据库只能从您的汇总Google帐户中获取日历ID,因此您知道潜在的恶意用户不能在合成的网址中导致任意字符。
您可能遇到的最大问题是,Google嵌入式日历iframe最多只允许十个日历Feed。
您面临的最可能的安全漏洞是安全性
默认情况下,Google日历接受邀请并将其发布为活动。您可能会发现任何人都可以邀请老师的日历恶作剧,然后那些恶作剧活动将显示在学生日历上。
I am setting up a website for students of a school, which must include a schedule page which will show a calendar with events populated by feeds from various teachers' calendars. After trying out a variety of scripts and tools made for showing calendars, I finally hit upon a very shoddy, hacked-together way of doing it, and I want to know if theres any specific things wrong with my implementation.
My requirements from this calendar are posted in a previous question This is how my implementation is gonna work:
The teachers make their schedules in their own calendar programs and make those feeds available in the iCal format. A common Google account for the school subcribes to all these calendars, and so gets read only access to ALL the teacher's schedules in school. Google Calendar has a feature that lets you select some of your calendars, and then get the html code for an iframe to embed on your website, so that visitors to the site can see what events are coming up. When I experimented around with the options in the Google 'Configurator', I found that by simply including certain codes in the url called for the iframe contents, you could change which calendars were visible. These codes, or calendar ids, are clearly displayed in the settings for each calendar. Thus, my final solution is thus:
For every student, there is a record stating which courses he has taken, and hence which calendars he should be shown. With some SQL magic, I can retrieve the calendar ids from a pre-prepared database of all the calendar ids, and then generate the correct url for the iframe using php, and display it.
I hope that wasn't too convoluted to understand. Now can anyone tell me if there are any inherent security flaws or bad programming practices etc in this. Something about the whole idea of dynamically generating urls, using iframes, using a common google account etc just screams 'Mistake!'. Can someone tell me if this is an ok way to go about it, or is there some problem with it?
Actually, I think your solution has the potential to be very secure. Using a single google account to collect the read-only calendars into one place is just an organizational shortcut. As long as the calendars themselves are read-only, your single account contains nothing that isn't already public.
Generating URLs is perfectly reasonable, as long as you are combining strings that you've sanitized beforehand. Since your database can only get calendar IDs from your aggregation google account, you know that potentially malicious users can't cause arbitrary characters to end up in your synthesized URLs.
The biggest problem you'll probably run into is that the google embedded calendar iframe only allows up to ten calendar feeds.
The most likely security vulnerability you'll face is the security of all of the teachers' google calendars.
By default, google calendars accept "invitations" and post them as events. You might find that anyone can "invite" a teacher's calendar to prank events and those prank events will then show up on student calendars.
这篇关于在我的网站上实施日历的方式有什么问题吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
