I want to allow using special chars in password, however I would like to know: is it safe to use untouched password from $_POST and then store its hash in the database?
Like This:
password_hash($_POST['password'], PASSWORD_BCRYPT)
and
password_verify($_POST['password'], $hashFromDatabase)
Username would be validated for alphanumeric, and both stored in database via PDO?
Yes and no. Although you will not have any problems with the special characters, you can with the length. According to the manual:
Caution
Using the PASSWORD_BCRYPT for the algo parameter, will result in the password parameter being truncated to a maximum length of 72 characters.
Now the truncated passwords will always match, but you might give users a false sense of security as passwords longer than 72 characters are truncated.
See a simple example here.
A bit of a hypothetical situation though...
Yes it is safe to use the $_POST['password'] variable directly as input of the password_hash() function, because BCrypt even works with binary input. The output of the function is a hash string, which cannot contain any "harmful" characters regarding SQL-injection.