Are you using the AuthComponent? Be aware that it hashes all incoming password fields (but not "password confirm" fields, check with debug($this->data)), so the fields will never be the same. Read the manual and use AuthComponent::password to do the check.
Having said that, here's something I use:
public $validate = array(
'password' => array(
'confirm' => array(
'rule' => array('password', 'password_control', 'confirm'),
'message' => 'Repeat password',
'last' => true
),
'length' => array(
'rule' => array('password', 'password_control', 'length'),
'message' => 'At least 6 characters'
)
),
'password_control' => array(
'notempty' => array(
'rule' => array('notEmpty'),
'allowEmpty' => false,
'message' => 'Repeat password'
)
)
);
public function password($data, $controlField, $test) {
if (!isset($this->data[$this->alias][$controlField])) {
trigger_error('Password control field not set.');
return false;
}
$field = key($data);
$password = current($data);
$controlPassword = $this->data[$this->alias][$controlField];
switch ($test) {
case 'confirm' :
if ($password !== Security::hash($controlPassword, null, true)) {
$this->invalidate($controlField, 'Repeat password');
return false;
}
return true;
case 'length' :
return strlen($controlPassword) >= 6;
default :
trigger_error("Unknown password test '$test'.");
}
}
This is bad for the following reasons:
- Has tight coupling to the form, always expects a field
password_control to be present. You need to use field whitelisting or disable validation if you don't have one in your data, i.e.: $this->User->save($this->data, true, array('field1', 'field2')).
- Manually hashes the password the way the AuthComponent does (since there's no clean access to components from the model). If you change the algorithm used in the AuthComponent, you need to change it here as well.
Having said that, it transparently validates and produces proper error messages for both the password and password control fields without requiring any additional code in the controller.