Why the Username “null” Can Crash Your App and How to Prevent It

Why the Username “null” Can Crash Your App and How to Prevent It

You might think that null is the real null value, but in many cases it is actually the string "null", which can silently break your code.

What Happens When a User Registers with "null"

Consider this Java check:

if (username == null) {
    throw new IllegalArgumentException("Username cannot be null!");
}

If a user submits JSON like:

{
  "username": "null",
  "password": "123456"
}

The check passes because the string "null" is not the Java null, so the user registers successfully.

Logs may show: Current user: null which looks like a system error but is actually the username.

Problems Caused by "null" Username

User Experience Breakdown : After login the system greets "Welcome, null!" leaving users confused.

Log Debugging Hell : Logs are filled with null, making it hard to distinguish real nulls from the string.

Database Pollution : Exported data contains unexpected "null" entries that appear as dirty data.

Security Risks : Some systems treat "null" as a special token, potentially leading to XSS or information leakage.

Automation Scripts Fail : Scripts that skip null values miss the "null" users, causing logic errors.

How to Fix It

(1) Strict Username Validation – reject not only null but also the strings "null", "undefined", empty spaces, etc.

private static final Set<String> ILLEGAL_USERNAMES = Set.of(
    "null", "undefined", " ", "\t", "
", "admin", "root"
);

public void validateUsername(String username) {
    if (username == null || ILLEGAL_USERNAMES.contains(username.trim().toLowerCase())) {
        throw new IllegalArgumentException("Invalid username!");
    }
}

(2) Front‑end Interception – add client‑side checks before sending data.

if (["null", "undefined", ""].includes(username.trim())) {
    alert("Username cannot be null or undefined!");
    return;
}

(3) Database Constraint – add a CHECK constraint to forbid these values.

ALTER TABLE users ADD CONSTRAINT chk_username
CHECK (username NOT IN ('null', 'undefined', ' '));

(4) Distinguish in Logs – mark real nulls clearly.

logger.info("Username: {}", username == null ? "[NULL]" : username);

Final Advice

Never let a user’s input of "null" cause hidden bugs. Validate at entry points, enforce consistent naming rules, and adopt defensive programming assuming the worst input.