PHP's password_hash functions are almost certainly your best bet. They do everything you're supposed to do, and they do it right, with as simple of an API as you could ever hope for.
Every password by default gets a unique 128-bit salt and 1,024 iterations. Definitely secure against rainbow attacks and other known forms of attack.
Probably PBKDF2 < bcrypt < scrypt
PBKDF2 can use an arbitrary amount of computing power. Bcrypt can also use an arbitrary amount of computing power but also has an expensive memory cost. Scrypt can use an arbitrary amount of computing power and an arbitrary amount of memory. Though, bcrypt is plenty sufficient and available through the convenient password_hash functions, so that's probably still your best bet.