I'd guess that something somewhere has got its sanitization wrong. They tested it against

    Robert'); DROP TABLE Students;--

And see that it now provides

    'Robert DROP TABLE Students'

Problem solved! And then later somebody else comes along, ignorant of the sanitization step, and provides

    NULL

But the code strips special characters and adds quotes, so they've actually inserted:

    'NULL'