I have made a website that generates hashes from users inputting plain text, a user can enter a word/ phrase and select from MD5 or SHA1 (or both). The site then takes this input and converts it into MD5 & SHA1 and stores it in a database, then returns it to the user. Users can also enter hashes into a search bar and if the database has the hash it will return the original word, the aim is to generate crowd-sourced hash tables whilst providing a benefit to users. I have got the main functionality working but I have a dilemma about what I should sanitize, I want users to be able to input special characters as it will improve the chances of the search function returning a result, any advice would be appreciated, thanks.
You shouldn't have to sanitise anything if it's just going to be hashed, since hashing functions are generally not vulnerable to injection attacks.
You should, of course, sanitise all your database inputs (for both insertion and searching). However, unless you're using an antiquated database API that doesn't support parameterised queries (e.g. the mysql_* functions; avoid these) this will be done automatically.