When "null" Becomes a Real Username: Hidden Bugs and How to Prevent Them

Many developers assume that the value null is always a special null reference, but users can actually submit the string "null" as a username, leading to subtle yet serious bugs.

Why “null” as a username is funny for programmers

Consider the following Java check:

if (username == null) {
    throw new IllegalArgumentException("用户名不能为空！");
}

If a user registers with "null" as the username, the condition fails because the string is not the null reference, and the registration succeeds, leaving a “ghost” user in the database.

Typical symptoms include:

User experience explosion: after login the system greets “Welcome, null!” causing confusion.

Log debugging nightmare: logs filled with the word null make it impossible to distinguish real null values from the literal string.

Database pollution: exported data, permission checks, or deduplication processes encounter an unexpected “null” entry.

Security risk: some systems treat the string "null" as a special token, potentially leading to XSS or information leakage.

Automation scripts break: scripts that skip null values may ignore the “null” user, causing logic errors.

How to handle the problem

Here are four practical measures:

(1) Strict username validation

private static final Set<String> ILLEGAL_USERNAMES = Set.of(
    "null", "undefined", " ", "\t", "
", "admin", "root"
);

public void validateUsername(String username) {
    if (username == null || ILLEGAL_USERNAMES.contains(username.trim().toLowerCase())) {
        throw new IllegalArgumentException("用户名非法！");
    }
}

(2) Front‑end interception

if (["null","undefined",""].includes(username.trim())) {
    alert("用户名不能是 null 或 undefined！");
    return;
}

(3) Database constraint

ALTER TABLE users ADD CONSTRAINT chk_username
CHECK (username NOT IN ('null','undefined',' '));

(4) Distinguish null in logs

logger.info("用户名为: {}", username == null ? "[NULL]" : username);

Final advice

Validate inputs at every entry point—registration, import, API calls—enforce a uniform naming rule, and adopt defensive programming assuming users may provide the most absurd values.