The comment in your example wouldn't be needed in that particular case.
But, imagine this one
"select * from table where password='$var2' and username='$var1';
"select * from table where password='blah' or 1==1-- and username='foo';
note- mysql requires a whitespace character after the double dash for it to be considered a comment.
Checking the values for signs of sql injection is definitely not what you want to do. Simply escape the values, or even better, use prepared statements. You still probably want to validate your user input, but do it for other reasons, not for protection against sql injection.