How come the documentation states that password_hash can return either a string or value false, but the following line of code returns NULL?

$password = password_hash($password1, PASSWORD_BDCRYPT, array( 'cost' => 10 ));

Despite the fact that it is not documented, the function does return NULL when one provides an incorrect value for algorithm.

Currently supported constants are:

• PASSWORD_BCRYPT
• PASSWORD_DEFAULT

And a typo in this case (PASSWORD_BDCRYPT rather than PASSWORD_BCRYPT) results in the value of NULL being passed, that in turn causes the same value as the return.

Edit: Any other string that has not been defined before would also evaluate as NULL.

As said before, incorrect parameter results in NULL being returned. Just to be complete: note that this goes not for just incorrect algorithm number, but also for providing incorrect $options parameter - e.g. calling:

password_hash('something', PASSWORD_DEFAULT, 10);

will also return NULL with no other error.