sha256 is not designed to hash passwords. To hash passwords, you should prefer to use hash functions created for this usage. You will find all required information below in another question addressing a similar request: Most secure password hash algorithm(s)?.
In the above mentioned question, you will learn why general purpose hash functions like sha256 do not have the right properties to ensure a secure storage of passwords (even when applied a large number of times on itself), and you will also find a ranking of the most-recommended hash functions dedicated for secure passwords handling:
- scrypt: Which is still quite new (published in 2012), but is designed to ensure better security than its predecessor bcrypt,
- bcrypt: It was designed specifically for password storage and was the recommended choice for a long time,
- PBKDF2: It's actually designed as a key stretching function, ie. a secure way to derive a cryptographic key from a given password, but its properties make it also suitable for password storage.
In your question you mentioned the PHP function password_hash(). This function is not a hash algorithm per se. In fact, this function is used to allow PHP to select the most trusted password hash algorithm available without having to modify your code.
As indicated in the documentation, as per PHP 5.5.0, bcrypt is selected by default.
