According to its documentation PHP's password_verify()
function
Returns TRUE if the password and hash match, or FALSE otherwise. [highlight added by me]
The documentation also indicates that the functions parameters are:
password
The user's password.
hash
A hash created by password_hash().
The documentation does not provide any insight about errors/exceptions/warning with respect to cases in which those parameters are "corrupted" or invalid.
Some quick testing showed me that the question is rather tolerant with regard to "garbage" being passed in (especiallty in the hash
parameter). My question is if I can rely on this behavior, as it would be somewhat implied in the "Returns[...]or FALSE otherwise" part?