Why the String "null" Breaks Your Java Backend and How to Fix It

Recently a humorous post about a user registering with the username null highlighted a common but dangerous bug: developers mistake the literal string "null" for a true null reference.

In Java, null is a keyword representing the absence of an object, while "null" is just a non‑empty string. Treating the latter as empty leads to logic errors.

Example JSON payload:

{
  "username": "null",
  "password": "123456"
}

Backend code that only checks user.getUsername() == null will consider this input valid, allowing a user named "null" to be created. Subsequent operations (email, permission checks, duplicate detection) then fail because the system treats the string as a real username.

Demonstration of the difference:

String a = null;
String b = "null";
System.out.println(a == null);          // true
System.out.println(b == null);          // false
System.out.println("null".equals(a));  // false
System.out.println("null".equals(b));  // true

This confusion is especially risky when interacting with front‑end code, APIs, or databases. A common front‑end pattern like username = username || "null"; substitutes the literal string "null" for missing values, which the backend then stores as a legitimate username.

Database constraints such as NOT NULL do not help, because the value is a non‑empty string and will be inserted without error.

Recommended fix: Apply a uniform sanitisation step to every incoming string.

public static String sanitizeInput(String input) {
    if (input == null) return null;
    String trimmed = input.trim();
    if ("null".equalsIgnoreCase(trimmed)) return null;
    return trimmed;
}

Calling this method before persisting or processing any user‑provided field eliminates the "null" string problem.

Database queries suffer the same issue; for example User user = userRepository.findByUsername("null"); actually looks up a user whose name is the literal "null".

Security‑related variants such as "nulI" (lower‑case L + upper‑case I) are examples of character‑spoofing attacks. A simple regex blacklist can block them:

if (username.matches("(?i)null|nulI|nuli|n1ll")) {
    throw new IllegalArgumentException("用户名非法");
}

More advanced defenses include visual‑similarity detection libraries.

Key pitfalls summarized:

Confusing the string "null" with the null reference.

Storing unchecked input directly into the database.

Relying solely on database constraints for validation.

Lacking proper validation for username/password fields.

Ignoring character‑spoofing attacks.

By treating every user input with strict validation and sanitisation, developers can avoid obscure bugs that keep them debugging until the early hours.