schwim I've read the man page and some SE discussions and I see a lot of mention that the hash function provides the salt so does that mean I never need to store or retrieve this salt? How does the script or function retain that salt for it's future use? I wonder how moving script and db to another server would work?
The hash produced by password_hash consists of a string to identify the hash algorithm, the salt, and the password hash itself. So when you store it in the database, all the information is retained, even if you move it to another database.
schwim My other question(sorry) is how does password_verify differ from simply doing a query for username and hashed password and looking for a result?
It would be the same thing, if you could compute the hashed password. To do that is easy: you just need to know the hashing algorithm used, the salt, and then from there compute the hash of the password that the user enters. Each user has a different salt, so you would need to query the database for the salt. Since the salt is part of password hash, this means that you have to run a query "to select the id, username, and hashed password where the username matches the username supplied; the password supplied is not part of this query". Great, so now you have the hashing algorithm and the salt. So, you take the password the user entered and compute the hash. You are about to run another "query for username and hashed password and looking for a result"... but that's silly. What else do you want from the database? You already have the hashed password from the database, so you just need to check for the match. Sure, you could get the database to do that for you, but then do you always make a database query whenever you want to check if two PHP strings compare equal?
What you did in your example was to compute a hash of the user's password with an entirely new salt (and possibly a different algorithm). That's great, but even with the same password, it is highly unlikely that there is any entry in the database with the same username and hashed password because for that to happen, the salt generated by password_hash has to be exactly the same as the salt generated by password_hash previously, and since the salt is randomly generated, that is like winning the lottery (maybe like winning it several times).