When trying to access a login, an attacker might write the following statement in the username box:
user' OR '1'= '1
Why is that extra quote needed for user' ? Doesn't it show up in the hidden SQL syntax as 'admin'' with double quotes instead, rendering it invalid? The same question goes for the second 1 in the statement with only a front quote but not a back quote. If I add the back quote, it shows up with double quotes as ('1'') in the SQL.
I tried using a different combination of syntax, but this SQL code was the only option that worked. I've also tried using different characters to see whether the fact that 1 is an integer makes a difference, and it doesn't.