I have an input field where the users enter their username and password. Do I need to hash the password that they input or is it ok to leave it and just use it in password_verify against the hashed database password. I am using password_hash to hash them with PASSWORD_BCRYPT and don't know how to compare them if I have to hash the input as well as the stored password.
No. When you use
password_hash or similar functions to hash your passwords you should not hash the password before testing it with
password_verify. At least as long as you don't "double hash it" which is quite useless.
password_hash method will return a value which contains which hash it uses, the salt and the cost. So when it's passed to the
verify_password method the method will know what to do with the clear text password passed as first argument.
You can read about all this at the PHP docs: