PHP's password_* functions make it difficult to misuse in this particular way. There's no function in that API which hashes a password with a controllable salt and returns the result; there's only password_hash(), which always uses a random salt, and password_verify(), which rehashes a password internally and returns a bool for whether it matched.
(It's still got the truncates-at-72 problem with PASSWORD_BCRYPT, though.)
(It's still got the truncates-at-72 problem with PASSWORD_BCRYPT, though.)