PHP

SQL injection. Did you fix it right?

Guys, I found a vulnerability on my site. You can write any line to the database, and then in one place it displays data from the database without filtering. That is, there is XSS (the alert is written, displayed and triggered). This has been corrected.
It was like this: data is collected from different sources, when you click on the button, there was a request to the script that immediately wrote information to the database.
Now: data is collected from different sources, a hash is formed, when the button is pressed, it is sent to a script that checks the hash, and if everything is ok, then info is written to the database.
But I'm more interested in SQL injection. now all quotes are filtered (they are commented with a backslash, as many as 4 pcs, xs why)
if sent from a script: it
' UNION SELECT 1
is written in the database:
\\\\' UNION SELECT 1
Is this enough so that there is no injection?
Can you give an example of when this doesn't work? (necessary :) )
PS Motor purchased from Friel. HE assures that SQL will not pass here.
So now everything is hashed in md5 (with some manipulations + salt) and checked before any actions. And now it's not possible to change the result.
But I'm just wondering if SQL injection is possible here?
It's just possible that the line with SQL will come immediately from the source of information. Is it enough that he comments the quotes?