Is it a bad practice using model classes in controller in mvc?

Question

I wanted to compare with best practices when working with an ORM or database tables in asp.net mvc. One of the major questions I have is should I instantiate

Answer 1

Yes, it is a bad practice, because of the problem of "over-posting".

For instance, consider an Entity model for a UserProfile:

  public class UserProfile
  {
    public string UserName { get; set; }
    public bool IsAdmin { get; set; }
    public string EmailAddress { get; set; }
    public string FirstName { get; set; }
    public string LastName { get; set; }
  }

Your user profile page allows the user to Edit their FirstName, LastName, and EmailAddress.

An unscrupulous user could simply modify the form to post "IsAdmin" along with the other values. Because your Action is expecting an input of UserProfile, the IsAdmin value will be mapped as well, and eventually persisted.

Here is an excellent writeup about the perils of under and overposting.

I see nothing wrong with binding Entity models directly to your [HttpGet] methods, though.