I see no reason for your application to sanitize anything. All you're doing with your users' input is feeding it to a cryptographic hash function, and those functions will happily accept any byte sequences.
Of course, if you're displaying the input string on the result page, you should escape it with htmlspecialchars() before embedding it in HTML code. Similarly, if you're including it as a parameter in a URL you should escape it with urlencode(), and if you're storing it in an SQL database, you should escape it with the appropriate escaping function for your database driver (e.g. mysqli::escape_string()), or just use prepared SQL statements with placeholders.
Also note that cryptographic hash functions operate on byte strings, not on character strings. This means that, especially for text containing non-ASCII characters, the hash value will depend on the character encoding used to encode it into bytes. For Unicode text, it may also depend on the normalization form used. UTF-8 (with normalization form C or D, or just whatever the user's browser sends) may be a reasonably common choice these days, but if you want to be helpful, you may want to offer your users a choice of different encodings.