When "null" Becomes a Real Username: Hidden Bugs and How to Prevent Them

You might think null is the actual null value, but the bug is very real!

Recently a humorous post showed a user registering with the username "null". This is not Java's null or SQL's NULL, but a literal string "null" that can slip through code checks and create phantom users.

Why is "null" so funny to developers?

Consider the following code:

if (username == null) {
    throw new IllegalArgumentException("Username cannot be empty!");
}

When a user submits:

{
  "username": "null",
  "password": "123456"
}

The check fails because the string "null" is a valid value, not the null reference, so the registration succeeds.

Consequences of using "null" as a username include:

User experience breakdown

After login the system displays “Welcome, null!” leaving users confused.

Log debugging nightmare

Logs filled with “null” make it hard to distinguish real nulls from the string, leading to endless debugging.

Database pollution

Exported data, permission management, or deduplication may show unexpected “null” entries that appear as legitimate users.

Security risks

Some systems treat “null” as a special identifier, potentially causing XSS or information leakage.

Automation script failures

Scripts that skip null values may overlook the string “null”, breaking business logic.

How to handle this issue?

Here are several practical measures:

1) Strict username validation

Check not only for null but also for strings like "null", "undefined", spaces, etc.

private static final Set<String> ILLEGAL_USERNAMES = Set.of(
    "null", "undefined", " ", "\t", "
", "admin", "root"
);
public void validateUsername(String username) {
    if (username == null || ILLEGAL_USERNAMES.contains(username.trim().toLowerCase())) {
        throw new IllegalArgumentException("Invalid username!");
    }
}

2) Front‑end validation

Add a rule in the client‑side form:

if (["null","undefined",""].includes(username.trim())) {
    alert("Username cannot be null or undefined!");
    return;
}

3) Database constraints

Add a CHECK constraint to forbid illegal usernames:

ALTER TABLE users
ADD CONSTRAINT chk_username
CHECK (username NOT IN ('null','undefined',' '));

4) Distinguish real null in logs

Log with an explicit marker:

logger.info("Username: {}", username == null ? "[NULL]" : username);

Final advice: Prevent users from paying for your bugs

Entry interception: Validate at registration, import, and API calls.

Unified standards: Restrict usernames to letters and numbers with length limits.

Defensive programming: Always assume users may provide the most absurd data.