Is it possible through SQL injection to launch an UPDATE/DELETE statement from an INSERT/SELECT statement in MySQL?

Let's take the following vulnerable query ($id not being escaped):

SELECT * FROM table WHERE id = $id

Would it be possible in MySQL 5.x to modify some data through an UPDATE statement which would appear inside the hacked SELECT statement?

I thought about something using benchmark() function:

SELECT * FROM table WHERE id = id OR benchmark(1, (UPDATE ...))

But it doesn't seem to work:

ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UPDATE ...

Any other possibilities not using stored procedure?

Edit: and nor using multiple queries of c开发者_StackOverflow社区ourse...

Depending on the driver this may pass:

SELECT * FROM table WHERE id = id; UPDATE table ...

Multiple queries.