How can I Simulate iframe with php and CSS?


I would like to display third party websites on a div using CSS and PHP to receive the requested page the user intends to view, for example:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
  <meta http-equiv="content-type" content="text/html; charset=windows-1250">
        * { margin:0; padding:0; }
      .banner{ width: 100%; height: 90px; border:#000 solid 1px; background: #ffc; text-aling: center; }
      .requestedPage{ width: 100%; }




        $num = rand(1,100);


      <div class="banner"><? 
echo "Number is: $num"; ?></div>
      <div class="requestedPage">
             include( $_REQUEST['requestedPage'] );

I tried including an the url of the requested page but can’t see the page in the requestedPage div.

Now, if I do

<embed width=“100%” height=“100%” src=“<?=$_REQUEST[‘requestedPage’]?>”></embed>

it only works on certain browsers (Chrome actually).

I would like to have a banner displayed on top of other websites but, can’t find a solution on how to do this. I was thinking of redirecting all traffic to a page that would display the requested pages on “requestedPage” div.

Please guide me to where I can find some information on how to do this.

Thanks in advanced for your help.

You have some scary security issues there, but those aside for now; why aren’t you using an iframe? It seems perfectly suited.

I Completely agree. Also you need javascript of some sort, because its a client side script.
after the page loads php wont be able to do anything unless assisted by js and CSS can only style.

When using a IFrame I don’t see a reason to use Javascript since you define the source in your IFrame!

Might help to outline some of these. Here are ones I can think of…

  • By doing this, you’re allowing any js in the page to “originate” from your domain. This may break the script if it needs to do an ajax callback to home (within the iframe it is in it’s home domain), or it will enable an attack script to do XSS attack with relative ease.
  • If the file returned by the target embeds php tags it could get eval’ed by your server depending upon the method that you handle your templates. This can be very bad.

That’s two off the top of my head, and I’m not a security professional. All my experience tells me that this is a very, very bad idea fraught with problems not encountered by using the iframe in the first place. Unless you ( OP, not Anthony ) have a very good reason for going about it in this manner then I’d advise against this.

If you do want to go this route and the target server has rss feeds available, use those instead. Less likely to be an attack vector through rss.

Don’t know if iframe is the best or easiest way to accomplish this but, I’ve read so many bad things about iframe that make me change my mind about using it.

Now, what I would love to do is just have everything that passes through our gw to somehow be re-written so I can add a banner up top. Some how I need a php script to be run before sending the page to the client and run a javascript script with an iframe and css…

I have the idea in my mind but, can’t really get it “live”. I don’t know what to really do and how can it be done.

There are different ways to do it:
– configuring apache server to do some rewrite
– squid can also do something using ecap, which I don’t know anything about.

Please guide me on how can be done since, I’m so confused I can’t get my mind straight.


I understand the security issues by including url to your script and have disregarded that idea. Security is very important to me.


iFrame is a security issue yes, but your alternative is worse. If iFrame is walking a tightrope, you’re proposing walking a greased tightrope without a net while the clowns saw through the rope.

That is really risky.

Than, what you consider to be the best practice or way to do what I’m trying to accomplish?

Let me give more details on what the setup could be:

I would have squid to do cache, and everything passing through the gw which will be running squid needs to have that banner on the top except for ssl traffic that’s not cached by squid but, all http traffic should have that banner… Now the banner should be controlled by php script that will generate a random image to be displayed and record how many times that image has being shown on a mysql table.

Can you explain a bit clearer what’s going wrong? I agreed with Anthony that a IFrame would be appropriate but I still don’t see why the include in the div isn’t working

Let me explain exactly what I’m trying to accomplish:

I would like every client pc on our LAN to be able to see a banner when browsing the internet no matter what page they visit. Now, to accomplish this I don’t know which is the best, safest, easiest way.

I imagine I have to force some redirect for all pages to port 80 to pass through a php script which receives the the page url the client intended to view for example: The user intended to go to, now, the gw somehow (this is where the trick is at and I don’t know how to force this) redirects the user to our local page hosted on the gw:

Now the splash.php script is in charge of displaying the google page underneath a banner.

This is the process for each page visited on port 80 for each client pc on the LAN.

Basically, that’s all I would like to do.

It sounds like you need a redirector for squid then.

Just use the redirector to, well, redirect all requests to script.php?url= Your PHP script would then output a page, with banner and iframe, with the supplied URL as the iframe src.


Amen Answer given :slight_smile:

Thanks for replying.


But, how and what squid redirector should I use?

Do I need to write my own with php?

Yes, you’ll need to write something to output the required HTML. PHP is more than acceptable, check out the manual page for this.

There are a few things that will trip you up, but we’ll address those fun bits when you get to them. :wink:



I was looking at squidGuard which I THINK can be used to accomplish redirection…

I’ll keep you guys posted on my progress.

Thanks for clearing out the path.