Why Using "null" as a Username Can Break Your System and How to Prevent It

The author encountered a post where usernames like "null" caused silent failures and hours of debugging.

Problems When Username Is "null"

"null" is not null, yet it brings more problems than a true null value.

1. User Experience Perspective

When a username is the literal string "null", users are confused, e.g.: Welcome, null! Many users do not understand what "null" means; it may be a mistake, auto‑fill, or data imported from another system.

2. Development and Maintenance Perspective

If the code checks for null using == null, the string "null" bypasses the check, creating a "ghost user" in the database.

if (user.getUsername() == null) {
    throw new IllegalArgumentException("用户名不能为空");
}

Log output then shows: Current username: null It becomes hard to distinguish between a real null and the string "null". This also affects duplicate checks, Excel exports, permission audits, and automated scripts that treat "null" specially, potentially mis‑classifying or skipping the user.

3. System Security Perspective

Attackers may exploit boundary values such as "null", "undefined", spaces, or emojis to probe defenses. In some frameworks, "null" is treated as a system variable or placeholder, which can lead to XSS or information‑leakage risks.

4. Consistency and Specification Perspective

If the system allows "null" as a username, it should also allow other ambiguous values:

"undefined"

"0"

" "

(space)

"💩"

"admin"

(not a real admin)

…

Allowing such “dirty” usernames creates further data quality problems.

5. Troubleshooting Perspective

When investigating issues caused by a "null" username, developers may need to:

Capture network traffic and analyze requests.

Inspect backend logs.

Add breakpoints in code.

Clear caches.

Examine the database for ambiguous null values.

…

After hours of investigation, the root cause is often that the value is the string "null", not a true null, leading to a night‑long bug‑fix and data‑cleaning effort.

How to Properly Handle "null" Usernames

Although the string "null" is a legal non‑empty string in Java, from product experience, security, and operations viewpoints it should be treated as illegal input and blocked.

Define a whitelist of illegal usernames and validate them early:

private static final Set<String> ILLEGAL_USERNAMES = new HashSet<>(Arrays.asList(
    "null", "undefined", "true", "false", "admin", "root", "", " ", "\t", "
"
));

public void validateUsername(String username) {
    if (username == null || ILLEGAL_USERNAMES.contains(username.trim().toLowerCase())) {
        throw new IllegalArgumentException("用户名非法或为空");
    }
}

Sample code for reference only.

In practice, whether the username comes from front‑end input, Excel import, or API calls, the same validation‑then‑processing pattern should be applied to avoid hidden bugs.