If a user types their password in the login form on my site as Password§1234, the corresponding $_POST variable will contain the string Password\xc2\xa71234. This string is then hashed and compared with the password hash already in the database.
This wouldn't ordinarily be a problem because this escaping would occur both at the signup and login stages and would therefore still match the hash in the database. However, my site allows logins through a desktop API and this API interprets the string correctly without escaped characters before hashing. Consequently the desktop hash doesn't match and the user therefore cannot login.
I know there are a lot of threads on this topic, however I could not find any solutions that dealt with my problem, which may be something to do with the fact that the syntax is \xc2\xa7 rather than U+00A7.
The easiest solution of course would be to escape it on the desktop but I would much rather fix the problem than make everything equally incorrect. It's also easier to update the server than ship multiple app updates out.
Looks like you can just use utf8_encode($password). Sample here