To filter username/password or not to filter?

$username = trim(filter_var($_POST['username'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW));
$password = trim($_POST['password']);

Am i supposed to filter the username before using the input in a query execution? I also do not know if i should use filter_var or filter_input in this situation. I’ve also read that control characters should be filtered from input (hence the use of FILTER_FLAG_STRIP_LOW). I don’t think that a password should be filtered because it could mess up the input, correct? but what if the password contains executable code? does a pdo prepared statement really thwart the attempt?

yes pdo really handles that, as long as the server is set up correcy (no emulate prepares and utf8) and you use proper prepared/pqrameterized queries.

But the password should be ran through a hash algo before submitting to the db and at least the default implementation (password hash) renders it absolutely impossible to get executable code after its hashed

Thank you, Jim. I appreciate you very much. I definitely hash the POST password before handing it to PDO. I will post my code at github or some site like it in the future. So if anyone has time to correct mistakes or make something better, then the entire process will be viewable.