I find this write-up is the scientific approach and perhaps most logical approach of all.
The only issue I have with it is towards the end - it does not explain how it finds flag is name of (only) column of table flag1. Perhaps the author enumerated table schema, or used sql commands to find no of columns - (union select null,null ) and used select * from flag1;
d' AND 1=2 UNION ALL SELECT flag from flag1 #
Well maybe it was just a guess - less likely