Well I provided a solution for this, here is original website code:
<div class="tcl" style="width:290px;text-align:right;">
<input class="bgreen" type="submit" formaction="order.php?id=450469&stat=1" value="Finalize"></input>
</div>
So we can all see that what it does is send post request to "order.php" with variable "id" and "stat".
Well I give him javascript code:
javascript:(function(){var xhr = new XMLHttpRequest();xhr.open("POST", "orders.php", true);xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");xhr.send("id=450469&stat=1");})();
That can be pasted in URL bar and run which does exactly the same thing, I even tested this on the website and saw that the request returned status code 200 but probably need to be logged in with his cookie.
![](https://ip.bitcointalk.org/?u=https%3A%2F%2Fi.imgur.com%2FL2xhmKy.png&t=663&c=p9fH1rJzI820wA)
![](https://ip.bitcointalk.org/?u=https%3A%2F%2Fi.imgur.com%2FtwWuklI.png&t=663&c=mEAw96_2wvZbdQ)
Here is the code formatted for easier reading:
javascript: (function() {
var xhr = new XMLHttpRequest();
xhr.open("POST", "orders.php", true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.send("id=450469&stat=1");
})();
We can all see that this javascript code does exactly the same as original website code... he claims it does not work however but it does exactly the same thing.
Note I changed "order.php" to "orders.php" as when I tested it on the website it returned status code 302 Moved Temporarily and redirected to orders.php
![](https://ip.bitcointalk.org/?u=https%3A%2F%2Fi.imgur.com%2FPJNZZq2.png&t=663&c=Q58-CgLO9odkkQ)
Trade with caution.