MD5 and all other hashes still take arbitrary bytes as input, so they wouldn't be the source of any restrictions; I suspect the majority of them are due to character set/encoding issues more than anything else.

Presumably he's talking about code like this:

   $cursor.execute("SELECT * FROM users WHERE username = '$username' AND hash = MD5('password')")

Allowing any value would allow for SQL injections, so the programmer does the lazy thing and "sanitize" the inputs ($username/$password) with a roll-your-own "sanitizing" function that throws an error if there are "evil" characters.