Modern web applications don't just send simple strings and integers; they transmit deeply nested JSON, multi-part form data, and complex query parameters. ASP.NET Core's Model Binder is an intelligent engine that automatically maps this incoming HTTP data into strongly-typed C# objects, validation included.
Model Binding is the process where ASP.NET Core maps data from an HTTP request (URI, Query String, Form Data, Request Body, Headers) to action method parameters or properties of a controller. When working with Complex Types (classes rather than primitives), the model binder uses reflection to match incoming data keys to public property names.
If you don't explicitly specify where data comes from using attributes, the model binder searches in this exact order:
application/x-www-form-urlencoded){{id}} in /products/{{id}})?category=electronics&sort=price)Note: The Request Body (JSON/XML) is NOT searched by default. You must explicitly use [FromBody].
In production APIs and advanced MVC applications, you should explicitly declare where your parameters come from. This prevents security vulnerabilities (like mass assignment) and improves performance.
| Attribute | Data Source | Typical Use Case |
|---|---|---|
[FromBody] | Request Payload (JSON/XML) | Complex objects in REST APIs (POST/PUT) |
[FromForm] | HTML Form Submission | File uploads, standard web forms |
[FromRoute] | URL Path Segments | Resource Identifiers (e.g., id, slug) |
[FromQuery] | URL Query String | Search parameters, filtering, pagination |
[FromHeader] | HTTP Headers | Auth tokens, custom client identifiers |
[FromServices] | Dependency Injection | Injecting services directly into action parameters |
// Models — Deeply nested complex types
public class CreateOrderCommand
{
public CustomerDetails Customer { get; set; }
public Address ShippingAddress { get; set; }
public List<OrderItem> Items { get; set; } = new();
}
public class CustomerDetails { public string Name { get; set; } public string Email { get; set; } }
public class Address { public string City { get; set; } public string ZipCode { get; set; } }
public class OrderItem { public int ProductId { get; set; } public int Quantity { get; set; } }
<!-- Views/Order/Create.cshtml — Naming convention handles the nesting -->
<form method="post">
<!-- Bind to Customer object -->
<input name="Customer.Name" type="text" />
<input name="Customer.Email" type="email" />
<!-- Bind to Address object -->
<input name="ShippingAddress.City" type="text" />
<input name="ShippingAddress.ZipCode" type="text" />
<!-- Bind to Collections (Zero-Indexed) -->
<input name="Items[0].ProductId" type="hidden" value="101" />
<input name="Items[0].Quantity" type="number" />
<input name="Items[1].ProductId" type="hidden" value="405" />
<input name="Items[1].Quantity" type="number" />
<button type="submit">Submit Order</button>
</form>// Often, an entity's ID comes from the Route, but its data comes from the Body.
[HttpPut("api/users/{id:int}")]
public async Task<IActionResult> UpdateUser(
[FromRoute] int id, // Comes from URL path
[FromBody] UserUpdateDto dto, // Comes from JSON payload
[FromHeader(Name = "X-Tenant-Id")] string tenantId) // Multi-tenant context
{
if (id != dto.Id) return BadRequest("ID mismatch");
await _userService.UpdateAsync(tenantId, id, dto);
return NoContent();
}public class ProductSearchQuery
{
public string Keyword { get; set; }
public decimal? MinPrice { get; set; }
public decimal? MaxPrice { get; set; }
public List<string> Categories { get; set; } = new();
}
// Controller
// URL: /shop?Keyword=laptop&MinPrice=500&MaxPrice=1500&Categories=gaming&Categories=work
[HttpGet("shop")]
public async Task<IActionResult> Search([FromQuery] ProductSearchQuery query)
{
// ASP.NET automatically populates the complex 'query' object
// and binds the multiple 'Categories' query params into the List.
var results = await _productService.SearchAsync(query);
return View(results);
} A massive security risk occurs when your complex object has properties (like IsAdmin or Balance) that you don't want the user to modify, but a malicious user submits them anyway.
public class User {
public int Id { get; set; }
public string Name { get; set; }
public bool IsAdmin { get; set; } // DANGER!
}
public IActionResult Update(User user) {
_db.Users.Update(user); // Attacker sends "IsAdmin=true"
}// Approach 1: Allowlist using [Bind]
public IActionResult Update(
[Bind("Id,Name")] User user) {
// IsAdmin is ignored during binding
}
// Approach 2: Use ViewModels/DTOs (Best Practice)
public class UserUpdateDto {
public string Name { get; set; }
}ViewModels or DTOs to control exactly what data is accepted.[FromBody] allowed! ASP.NET Core reads the request body stream once. You cannot have ([FromBody] User u, [FromBody] Profile p). Wrap them in a single parent class.[BindRequired] instead of [Required] when data comes from Query/Route. [BindRequired] forces the model binder to fail immediately if the parameter is entirely missing from the request.Q: "Why does my [FromBody] complex object always bind as null, even though I'm sending JSON?"
Answer: "There are three common culprits architecture-wide. First, the client isn't sending the Content-Type: application/json header, so the ASP.NET Core JSON input formatter ignores the payload. Second, the JSON schema doesn't match the C# schema (e.g., nested objects aren't structured correctly). Third, and most subtle, the C# model doesn't have a parameterless constructor or public property setters, making it impossible for the `System.Text.Json` deserializer to instantiate and populate the object."