You can make a good case to spend time sanitising requests to avoid catastrophic failure, but the "null" problem is one that quickly becomes a lot of work and risk to fix after the fact, for no obvious benefit except what's seen as the pedantry of some nerd, so it gets ranked all the way at the back of the list... until someone named Null comes along, and probably still even then.
"System owner, we need to spend $10K to sanitise requests or a kid can destroy our business overnight".
"System owner, we need to spend $10K to clean up the database and code so that null and "null" are not the same thing, even though it works 99.99% of the time".
If there are type confusion bugs related to SQL statements, I think SQL injection is likely to exist, if not some other super nasty bugs will eclipse it.
You can waste 10k paying someone to look at it or you could not waste your money, but I’d be fucked before I sign off on a system with those kinds of bugs as being secure, evidence or not. Someone higher up can accept that risk, but I’d rather not be liable when it’s breached or catastrophically damaged because some kid changed their last name to an SQL injection payload.
And yes, I’ve checked, in my country unpronounceable names are not permitted, otherwise I’d have one. There are existing case studies of this, iirc in the UK.
