diff --git a/language-snippets.ent b/language-snippets.ent
index 8867eb60ea..dd7482101f 100644
--- a/language-snippets.ent
+++ b/language-snippets.ent
@@ -1676,6 +1676,13 @@ linkend="book.mysqlnd">mysqlnd.'>
hand-shake/authentication, which mysqlnd will use.Libmysqlclient uses the default charset set in the
my.cnf or by an explicit call to mysqli_options prior to
calling mysqli_real_connect, but after mysqli_init.'>
+
+
Security warning: SQL injectionIf the query contains any variable
+input then parameterized
+prepared statements should be used instead. Alternatively, the
+data must be properly formatted and all strings must be escaped using
+the mysqli_real_escape_string
+function.'>
This function is supported when PHP
diff --git a/reference/mysqli/mysqli/multi-query.xml b/reference/mysqli/mysqli/multi-query.xml
index dc30f7f0de..9667c67358 100644
--- a/reference/mysqli/mysqli/multi-query.xml
+++ b/reference/mysqli/mysqli/multi-query.xml
@@ -42,9 +42,7 @@
The query, as a string.
-
- Data inside the query should be properly escaped.
-
+ &mysqli.sqlinjection.warning;
diff --git a/reference/mysqli/mysqli/query.xml b/reference/mysqli/mysqli/query.xml
index 3df7427eed..e240544576 100644
--- a/reference/mysqli/mysqli/query.xml
+++ b/reference/mysqli/mysqli/query.xml
@@ -77,17 +77,7 @@
The query string.
-
- Security warning: SQL injection
-
- If the query contains any variable input then
- parameterized
- prepared statements should be used instead. Alternatively, the
- data must be properly formatted and all strings must be escaped using
- the mysqli_real_escape_string
- function.
-
-
+ &mysqli.sqlinjection.warning;
diff --git a/reference/mysqli/mysqli/real-query.xml b/reference/mysqli/mysqli/real-query.xml
index e4e5f08fc5..b7a2e4e42d 100644
--- a/reference/mysqli/mysqli/real-query.xml
+++ b/reference/mysqli/mysqli/real-query.xml
@@ -42,17 +42,7 @@
The query string.
-
- Security warning: SQL injection
-
- If the query contains any variable input then
- parameterized
- prepared statements should be used instead. Alternatively, the
- data must be properly formatted and all strings must be escaped using
- the mysqli_real_escape_string
- function.
-
-
+ &mysqli.sqlinjection.warning;