Web - Server

Hii guys, please i need help about this challenge, when i write the characters is user&userid=2%20and%20substring(//user[1]/password,1,1)=codepoints-to-string(112) i get the change aims to the flag .... so tell me if i’m on the right path or wrong ??