我是否正確使用MySQL事務？

Question

我想確認，我是正確使用MySQL的交易要正確處理好一些關鍵的（沒有種族錯誤等等）

$mysqli->autocommit(FALSE); 
$mysqli->query("UPDATE users SET balance=balance-$amount, transactions=transactions+1, sent=sent+$amount WHERE email='$email'"); 
$mysqli->query("UPDATE users SET balance=balance+$amount, transactions=transactions+1, recv=recv+$amount WHERE email='$address'"); 
$newBalanceQ = $mysqli->query("SELECT balance FROM users WHERE email='$email'"); 
$newBalance = $newBalanceQ->fetch_row()[0]; 
if($newBalance < 0){ 
    $mysqli->rollback(); 
} else { 
    $mysqli->commit(); 
} 

Answer 1

或者，你可以不用一個事務，因爲你既可以查詢合併成一個UPDATE聲明，

UPDATE users 
SET  balance = balance - (CASE WHEN email = '$email' THEN $amount ELSE $amount * -1 END), 
     transactions = transactions + 1, 
     sent = (CASE WHEN email = '$email' THEN sent + $amount ELSE sent END), 
     recv = (CASE WHEN email = '$address' THEN recv + $amount ELSE recv END) 
WHERE email IN ('$email','$address') 

您正在使用MySQLi，但你是不是參數化的價值，在這種情況下，你仍然有SQL Injection脆弱。