<?php
function myhash(string $pwd): string {
// Use md5 to make sure arbitrary length passwords are represented fully and not truncated.
return password_hash(md5($pwd, true), PASSWORD_BCRYPT);
}
function myverify(string $pwd, string $hash): bool {
return password_verify(md5($pwd, true), $hash);
}
var_dump(md5('mj'), md5('oq'));
$hash = myhash('mj');
// Original password 'mj' is not the same as attack password 'oq', but they verify.
var_dump(myverify('oq', $hash));