it is when used correctly within quotes (and used with common charsets, but that's a different story altogether). There is no publicly known way to inject the following when the database is encoded in ISO-8859-1 or UTF-8:
"SELECT ... WHERE `field_name` = '" . mysql_real_escape_string($string_value) . "'";
"SELECT ... WHERE `field_name` = '" . mysql_real_escape_string($string_value) . "'";