I am new to PHP and now learning about password security. I read about the crypt() and password_hash() function in PHP documentation. I understand the crypt() and password_hash() function alone but how do I use them together? Do I still have to define a salt in crypt() function of leave it blank like password_hash(crypt($password,''),PASSWORD_DEFAULT);
The function password_hash() internally uses the crypt() function. It is a wrapper which takes care of all the possible pitfalls, like the generation of a cryptographically safe salt, or the choice of the suitable algorithm.
So there is no need to combine the functions, and no need to generate a salt on your own, just use password_hash() and password_verify() and you are fine.
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($_POST['password'], PASSWORD_DEFAULT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($_POST['password'], $existingHashFromDb);