Let's use an example where you have a SQL table with Date_Created and Date_Updated columns. You also have a file in your MVC application at /Views/App/Edit, which produces a web page such as www.example.com/App/Edit/1. When submitting an update, only the Date_Updated column should be updated. One way to accomplish this is to use the HiddenFor HTML helper.
@Html.HiddenFor(model => model.Date_Created)
Because the Date_Created field is hidden, we cannot view or update the data in Date_Created when navigating to www.example.com/App/Edit/1. If we view the source of the web page, we should see something like this:
<input id="Date_Created" name="Date_Created" type="hidden" value="2016-01-01" />
However, using Fiddler, we will be able to update the Date_Created data in the database. You can download and install Fiddler from https://www.telerik.com/download/fiddler.
Now, if we return to www.example.com/App/Details/1, Date_Created will display 1999-01-01. While kind of an innocent example when thinking about Date Created, this at least demonstrates a vulnerability when using the HiddenFor HTML helper. This vulnerability can be mitigated by excluding Bind properties.
In the /Controllers/ExampleController file in your MVC application, locate the public ActionResult Edit section, and modify this section to exclude the Date_Created column, replacing table_name with the name of your SQL table.
public ActionResult Edit([Bind(Exclude = "Date_Created")] Table_name table_name)
Now, if we view the page source, there is no markup for the Date_Created column. Also, Fiddler is unable to modify the Date Created data.