password_hash() handles salting and algorithhm selection for you, its baked into PHP, just use it and don’t worry about how to hash and salt.
$HashedPassword = password_hash($UsersEnteredPassword, PASSWORD_BCRYPT); // //$HashedPassword The result will always be a 60 character string, or FALSE on failure. The string incorporates the algorithm used, cost and salt as part of the returned hash. //You store the string in your db (no need to sepeeratly store salt) and then use it to verify passwords later. //Future hashing may return more than 60 characters if the defautl algorithm moves away from bcrypt, so you should store in a db column that can take 255 characters //To verify it: if (password_verify($UsersEnteredPassword, $HashedPassword))
BCRYPT output uses a fixed limited character set and is OK to use directly in SQL strings.
If you need to force to fixed settings
//Normally password_hash() picks the algorithm, cost and salt for you and stores it within the hash. However if you need fixed settings for some reason you can use like this $HashedPassword = password_hash($UsersEnteredPassword, PASSWORD_BCRYPT, ['cost' => 10, 'salt' => ':[email protected]`8Ax]k7G7DM^6g&efeU52H/-p']); if ($HashedPassword == FALSE ) return;