Exposing database fields names in HTML

It is very common to do this. As you've noticed, there is a significant benefit for keeping code simple.

If you do have an SQL injection vulnerability, an attacker can figure out your database structure using INFORMATION_SCHEMA. So hiding your database structure doesn't help you a great deal.

Another concern in this area is Mass assignment vulnerabilities. Perhaps a user is allowed to update their user details - name, email, password, etc. But they are not supposed to be able to update the field "is_admin". With code that automatically routes form fields to SQL statements, sometimes vulnerabilities like this can appear.

One common scenario where disclosing DB field names to the attacker ruins the security is SQL injection. In this case, the attacker may not be able to execute show tables, select * from INFORMATION_SCHEMA.TABLES and the like, to get the whole database structure. He may have very limited read access (e.g. blind SQL injection). Figuring out the DB structure in such cases may require some time and knowledge.

If you give the attacker hints about DB tables and fields, he may just try out several injections using the names you provide him. The attack will be much faster, require less qualification from the attacker, and much more difficult to detect in the logs.