我是否正确使用MySQL事务？

Question

我想确认，我是正确使用MySQL的交易要正确处理好一些关键的（没有种族错误等等）

$mysqli->autocommit(FALSE); 
$mysqli->query("UPDATE users SET balance=balance-$amount, transactions=transactions+1, sent=sent+$amount WHERE email='$email'"); 
$mysqli->query("UPDATE users SET balance=balance+$amount, transactions=transactions+1, recv=recv+$amount WHERE email='$address'"); 
$newBalanceQ = $mysqli->query("SELECT balance FROM users WHERE email='$email'"); 
$newBalance = $newBalanceQ->fetch_row()[0]; 
if($newBalance < 0){ 
    $mysqli->rollback(); 
} else { 
    $mysqli->commit(); 
} 

Answer 1

或者，你可以不用一个事务，因为你既可以查询合并成一个UPDATE声明，

UPDATE users 
SET  balance = balance - (CASE WHEN email = '$email' THEN $amount ELSE $amount * -1 END), 
     transactions = transactions + 1, 
     sent = (CASE WHEN email = '$email' THEN sent + $amount ELSE sent END), 
     recv = (CASE WHEN email = '$address' THEN recv + $amount ELSE recv END) 
WHERE email IN ('$email','$address') 

您正在使用MySQLi，但你是不是参数化的价值，在这种情况下，你仍然有SQL Injection脆弱。