Is it possible to update a field in a MySQL database or insert a new row using SQL injection in this case:

1. The only protection in the PHP code is mysql_real_escape_string().
2. The query is constructed in double quotes: "select id from db where id = $id" not single string literal quotes.
3. The database is mysql (using mysql_query php call) so I don't think stacked queries is possible (correct me if I'm wrong).

I've tried using something like 1; update users set first_name = foo with no luck and tried passing in commas ' in hex and octal format with no luck: chr(0x27) char(0x27) chr(047) ascii tables.

Is it possible to actually update or insert under these conditions?

Is it possible to update a field in a MySQL database or insert a new row using SQL injection in this case:

1. The only protection in the PHP code is mysql_real_escape_string().
2. The query is constructed in double quotes: "select id from db where id = $id" not single string literal quotes.
3. The database is mysql (using mysql_query php call) so I don't think stacked queries is possible (correct me if I'm wrong).
4. Using mysql not mysqli.

I've tried using something like 1; update users set first_name = foo with no luck and tried passing in commas ' in hex and octal format with no luck: chr(0x27) char(0x27) chr(047) ascii tables.

Is it possible to actually update or insert under these conditions?

Is it possible to update a field in a MySQL database or insert a new row using SQL injection in this case:

1. The only protection in the PHP code is mysql_real_escape_string().
2. The query is constructed in double quotes: "select id from db where id = $id" not single string literal quotes.
3. The database is mysql so I don't think stacked queries is possible (correct me if I'm wrong).

I've tried using something like 1; update users set first_name = foo with no luck and tried passing in commas ' in hex and octal format with no luck: chr(0x27) char(0x27) chr(047) ascii tables.

Is it possible to actually update or insert under these conditions?

Is it possible to update a field in a MySQL database or insert a new row using SQL injection in this case:

1. The only protection in the PHP code is mysql_real_escape_string().
2. The query is constructed in double quotes: "select id from db where id = $id" not single string literal quotes.
3. The database is mysql (using mysql_query php call) so I don't think stacked queries is possible (correct me if I'm wrong).

I've tried using something like 1; update users set first_name = foo with no luck and tried passing in commas ' in hex and octal format with no luck: chr(0x27) char(0x27) chr(047) ascii tables.

Is it possible to actually update or insert under these conditions?