Difference between #4 and #3 of Model password confirmation field.

Model password confirmation field.
password confirm, password, confirm
I had some troubles with the password confirmation field for when adding
updating user records, so i thought that i should share the way i got it

The scenario is the basic one, you have a database table (say user) and this
table has a field called password, which is a sha1/md5/etc hash of the user

This is the workflow:  
When you create a new user, the password needs to be hashed and saved, but when
you update a user record, if the same scenario happens, we end up with a hash of
the user hashed password, and we don't want this. Instead, on update, we will
empty the user password from the model object, store it temporary in another
variable then check to see if the password has been submitted in the form, if it
was, it means the user password needs to be updated, therefore we need to hash
the password(which is plain text now), if it wasn't submitted, then it means it
doesn't need to be updated therefore, we restore it from the temporary variable.

So, here we go, the model:  

<?php if ( ! defined('YII_PATH')) exit('No direct script access allowed');

class User extends CActiveRecord
    // holds the password confirmation word
    public $repeat_password;
    //will hold the encrypted password for update actions.
    public $initialPassword;
	 * @return array validation rules for model attributes.
	public function rules()
		// NOTE: you should only define rules for those attributes that
		// will receive user inputs.
		return array(
            //password and repeat password
            array('password, repeat_password', 'required',
'on'=>'update, insert'),'on'=>'insert'),
            array('password, repeat_password', 'length', 'min'=>6,
            array('password', 'compare',

	public function beforeSave()
        // in this case, we will use the old hashed password.
        if(empty($this->password) && empty($this->repeat_password)
&& !empty($this->initialPassword))

        return parent::beforeSave();
    public function afterFind()
        //reset the password to null because we don't want the hash to be shown.
        $this->initialPassword = $this->password;
        $this->password = null;

    public function saveModel($data=array())
            //because the hashes needs to match
            if(!empty($data['password']) &&
                $data['password'] =
                $data['repeat_password'] =

                return CHtml::errorSummary($this);

	     return true;


When the user is created, we do it with the "insert" scenario, meaning
that the password is required, but when we update it, we do it with the
"update" scenario, meaning that the password is not required anymore,
therefore when the form is submitted, the password fields can be empty, and the
validation won't fail. This allows us to restore the hashed password from the
temporary variable.  

Just as a side note, here is how my controller methods looks:  

public function actionCreate()
		$user=new User('insert');

		$this->render('create', $this->getViewData());

public function actionUpdate($id)


		$this->render('update', $this->getViewData());

protected function saveModel(User $user)
			$msg = $user->saveModel($_POST['User']);
			//check $msg here

And this is the rendering form:  

        <?php echo $form->labelEx($user,'password'); ?>
            <?php echo
$form->passwordField($user,'password',array('maxlength'=>40)); ?>
            <?php echo
        <?php echo $form->error($user,'password'); ?>
Hope it helps :)