PostgreSQL database not accepting edits

[zerodayhacker]

Hi, In Challenge 13, I have found the coupon_code parameter in the /workshop/api/shop/apply_coupon to be injectable. I also found the applied_coupon table in the PostgreSQL database.

The endpoint accepts the following injection and returns the database version: "coupon_code":"TRAC075'; SELECT version() --+"

But it refuses the following and returns a 500 error: "coupon_code":"TRAC075'; DELETE FROM applied_coupon WHERE coupon_code=TRAC075 --+"

Is there anything that needs to be changed in the crAPI config file to allow user edits to be made to the database? I noticed there are restrictions for shell injection.

Thanks, Edw.