I'm working with injections and tricks behind them so I came across with the way of commenting MySQL queries by #.
As all we know about using named anchors in HTML, in this case of injecting to URL, # works like an HTML named anchor and doesn't mean harmful for running the query.
The question is why this happens and why PHP doesn't include # as the rest of the input directly? (e.g. ?id=2547#)
Hashes are handled locally by the browser, not sent to the server. E.g. if you write a URL
http://yourdomain.com/script.php?param=foo#id=1234#
the browser just sends GET /script.php?param=foo to the server. When the response comes back, it searches for the id=1234 anchor in the HTML and scrolls down to it.
If you want to send the comment to the server, it needs to be percent-encoded:
http://yourdomain.com/script.php?param=foo%23id=1234%23
Since the browser considers it a special character and it's not url encoded, when the browser encounters the # it assumes that the previous GET parameter (if it existed) has ended.
If it is url encoded and the input is not properly sanitized then it does in fact pose an injection threat, otherwise if the user input is properly sanitized I would not worry about this.
Edit:
If the database allows for such input (e.g. varchar2) and the html-special-chars get properly escaped during input, then of course the database will save the user input as they will in fact be just symbols and will not have any special meaning.