Edit: If you read this issue and still beg me for a solution to the referenced exercise, then I'm afraid you probably shouldn't be left outside unsupervised. I feel sorry for you.

It looks like the controller for the filtering lesson (currently number 9) assumes that the underlying table contains "dave" and "passW0rD'. The one used doesn't, and will only let you pass if you first insert those into the table.

Or to put it differently, the following input should pass you:

'/**/or/**/'1'='1

But it will print the entire table (which presumably is the objective (even though the objective isn't actually stated on the page!), after saying that the solution isn't correct:

After digging through the lesson code (which I would normally consider cheating, but my life is too short for broken courses), it dawned on me that the creator of this question assumes that the underlying table is the same as in a previous exercise, where we found that dave's password is passW0rD, so I ran this:

'/**/;update/**/user_data/**/set/**/cookie='davepassW0rD';--

After this, the previous solution will work:

I thought this app was supposed to teach you Web security flaws, not how not to fail at abstraction between code modules...