PHP+MYSQL 程序被攻击，求应对方法

类似购物的程序，程序上的流程是这样的：

1、用户发起请求，下单
2、检查各种参数是否齐全、有效
3、检查用户余额是否足够
4、写入订单表
5、写入用户表，将用户余额减少
6、写入记录表，记录用户下单买的啥，以及花了多少钱

今天发现一个神奇的用户，他在1秒钟之内下了20单！至于是不是1秒钟无从查起，因为数据库只精确到秒。
更奇怪的是：

1、明明没有足够的余额，却继续进入了后续的步骤
2、写入订单表成功、写入记录表成功，但是就是没有扣余额

我想来想去也没弄明白这是怎么回事儿，各位遇到过么？有何应对方法？

** 其他用户是完全正常的，只有这个瞬间下很多单的不正常。

    public function orderCreate(Request $request, Response $response) {
        
        if(!$user = session('wechat.oauth_user')){
            return response()->json([
                'error' => '身份驗證失敗，請重新打開頁面再試'
            ]);
        }

        if(is_null($request->input('object', NULL))
        || is_null($request->input('stake', NULL))
        || is_null($request->input('time', NULL))
        || is_null($request->input('direction', NULL))){
            return response()->json([
                'error' => '參數提交不全，請重新打開頁面再試'
            ]);
        }

        if($request->input('stake') != 20
        && $request->input('stake') != 50
        && $request->input('stake') != 100
        && $request->input('stake') != 200
        && $request->input('stake') != 500
        && $request->input('stake') != 1000
        && $request->input('stake') != 2000
        && $request->input('stake') != 3000){
            return response()->json([
                'error' => '參數提交錯誤，請重新打開頁面再試'
            ]);
        }

        if($request->input('time') != 60
        && $request->input('time') != 120
        && $request->input('time') != 180
        && $request->input('time') != 240
        && $request->input('time') != 300){
            return response()->json([
                'error' => '參數提交錯誤，請重新打開頁面再試'
            ]);
        }

        if($request->input('direction') != 1
        && $request->input('direction') != 0){
            return response()->json([
                'error' => '參數提交錯誤，請重新打開頁面再試'
            ]);
        }

        if(!$object = Object::find($request->input('object'))){
            return response()->json([
                'error' => '參數提交錯誤，請重新打開頁面再試'
            ]);
        }
        
        $object_latestPrice = Price::where('id_object', $object->id)->orderBy('created_at', 'desc')->first();
        if((strtotime($object_latestPrice->body_price_time) + 300) < time()){
            return response()->json([
                'error' => '休市期間無法進行交易'
            ]);
        }
        
        if(!$user = User::where('id_wechat', $user->id)->first()){
            return response()->json([
                'error' => '身份驗證失敗，請重新打開頁面再試'
            ]);
        }
        
        if(floatval($user->body_balance) < $request->input('stake')){
            return response()->json([
                'error' => '帳戶可用餘額不足，請先充值後再交易'
            ]);
        }

        if($user->is_disabled > 0){
            return response()->json([
                'error' => '帳戶已被封禁，无法进行交易'
            ]);
        }

        $order = new Order;
        $order->id_user = $user->id;
        $order->id_object = $object->id;
        $order->body_price_buying = $object_latestPrice->body_price;
        $order->body_stake = $request->input('stake');
        $order->body_bonus = $object->body_profit * $request->input('stake');
        $order->body_direction = $request->input('direction');
        $order->body_time = $request->input('time');
        $order->save();

        $user->body_balance = floatval($user->body_balance) - floatval($order->body_stake);
        $user->body_transactions = floatval($user->body_transactions) + floatval($order->body_stake);
        $user->save();

        $record = new Record;
        $record->id_user = $user->id;
        $record->id_order = $order->id;
        $record->body_name = $request->input('direction') == 1? '買入看漲' : '買入看跌';
        $record->body_direction = 0;
        $record->body_stake = $order->body_stake;
        $record->save();

        return response()->json([
            'result' => $order->toArray()
        ]);

    }

UPDATE：
现在在一大堆的条件判断之后，希望改成事物来处理这件事，但是 Laravel 的事务这么写正确么？或者说我这么写的话能够起到我想要的作用么？有点懵 - -

        DB::beginTransaction();

        $user->body_balance = floatval($user->body_balance) - $request->input('stake');
        $user->body_transactions = floatval($user->body_transactions) + $request->input('stake');
        $user->save();

        if($user->body_balance < 0) {
            DB::rollback();
        } else {

            $order = new Order;
            $order->id_user = $user->id;
            $order->id_object = $object->id;
            $order->body_price_buying = $object_latestPrice->body_price;
            $order->body_stake = $request->input('stake');
            $order->body_bonus = $object->body_profit * $request->input('stake');
            $order->body_direction = $request->input('direction');
            $order->body_time = $request->input('time');
            $order->save();

            $record = new Record;
            $record->id_user = $user->id;
            $record->id_order = $order->id;
            $record->body_name = $request->input('direction') == 1? '買入看漲' : '買入看跌';
            $record->body_direction = 0;
            $record->body_stake = $order->body_stake;
            $record->save();

            $this->computeNetwork($user, $order);

            if($order->body_time == 60) $this->computePrice($user, $order, $object);
            
        }

        DB::commit();