Using the model-view-controller approach is a great way to organize your code and keep logic separate from presentation, but depending on the framework you use, being custom or otherwise, you might be exposed to security issue.
If your web server isn't configured properly to disallow direct serving of model or view files, you could be exposed to a very big security hole.
Let's say that your model code contains validation which would normally disallow a user from proceeding to the view code. If your view code contains a database table update, your user could simply call the view script directly.
If you aren't protected by denying access at the web server level, you may need to check for the existence of a variable created in the model file within the view file.
Model
validate the user
validated = true
View/Action
if not validated:
abort