This problem was pretty simple - even though uname and pswd were filtered through mysql_real_escape_string(), the NO_BACKSLASH_ESCAPES option essentially negated that protection.
So to ignore the password field, use the username admin";# and you'll get the flag: Your flag is: bobby_tables_little