Well I provided a solution for this, here is original website code:
<div class="tcl" style="width:290px;text-align:right;">
<input class="bgreen" type="submit" formaction="order.php?id=450469&stat=1" value="Finalize"></input>
</div>
So we can all see that what it does is send post request to "order.php" with variable "id" and "stat".
Well I give him javascript code:
javascript:(function(){var xhr = new XMLHttpRequest();xhr.open("POST", "orders.php", true);xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");xhr.send("id=450469&stat=1");})();
That can be pasted in URL bar and run which does exactly the same thing, I even tested this on the website and saw that the request returned status code 200 but probably need to be logged in with his cookie.
Here is the code formatted for easier reading:
javascript: (function() {
var xhr = new XMLHttpRequest();
xhr.open("POST", "orders.php", true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.send("id=450469&stat=1");
})();
We can all see that this javascript code does exactly the same as original website code... he claims it does not work however but it does exactly the same thing.
Note I changed "order.php" to "orders.php" as when I tested it on the website it returned status code 302 Moved Temporarily and redirected to orders.php
Trade with caution.