View the page source again. This time you will see a form, with the action update2.php. You will try clicking without passwords, and you get "Invalid username/password".
Then click back, so you can type your username and password again. We use SQL injection.Use the username:" ' or 1=1 - " and the same password and you are done!. SQL injection is a very outdated vulnerability and you will hardly find a web application vulnerable to it.