If you are receiving an "Internal Server Error" on the SQL injection lesson please see if the following helps you resolve the issue.
Are you entering the SQL injection for the username instead of the password?
If so that is the problem. You should use "alice" as the username and your SQL Injection payload for the password.
This happens because the username field is used in the application, and adding a quote to the username will cause SQL Syntax errors in other parts of the app. This can result in 500 errors.
Please note, this would not happen if the app was not vulnerable to SQL Injection.
Are you entering a newline after a SQL comment?
That messes up the SQL command and causes a SQL error.
Are 3rd party cookies enabled in your browser?
If not, then the second part of the lesson will not work. Remove plugins. Update your browser settings:
If you are using Safari please disable "Prevent cross-site tracking". Go to Safari > Preferences > Privacy and uncheck the box. Then refresh this page. This allows the sandbox application to work correctly.
If you are using Chrome please ensure you have the ability to save/read cookies: Settings > Advanced > Privacy and Security > Content Settings > Cookies > Allow sites to save and read cookie data (recommended). Also on the same menu, ensure that Block third-party cookies and site data is disabled.
You should also disable any Browser Plugin that would block third-party cookies, like an Ad Blocker.
If you would prefer not to use 3rd party cookies or are unable to you can use "Popout Mode". You can learn more about Popout Mode here: https://help.hackedu.io/en/articles/3323850-popout-mode-vs-single-window-mode