diff --git a/language-snippets.ent b/language-snippets.ent
index 8867eb60ea..dd7482101f 100644
--- a/language-snippets.ent
+++ b/language-snippets.ent
@@ -1676,6 +1676,13 @@ linkend="book.mysqlnd">mysqlnd</link>.'>
 hand-shake/authentication, which mysqlnd will use.</para><para>Libmysqlclient uses the default charset set in the
 <filename>my.cnf</filename> or by an explicit call to <function>mysqli_options</function> prior to
 calling <function>mysqli_real_connect</function>, but after <function>mysqli_init</function>.</para></note>'>
+<!ENTITY mysqli.sqlinjection.warning '<warning xmlns="http://docbook.org/ns/docbook">
+<title>Security warning: SQL injection</title><para>If the query contains any variable
+input then <link linkend="mysqli.quickstart.prepared-statements">parameterized
+prepared statements</link> should be used instead. Alternatively, the
+data must be properly formatted and all strings must be escaped using 
+the <function>mysqli_real_escape_string</function>
+function.</para></warning>'>
 
 <!-- Notes for SAPI/Apache -->
 <!ENTITY apache.req.module '<simpara xmlns="http://docbook.org/ns/docbook">This function is supported when PHP
diff --git a/reference/mysqli/mysqli/multi-query.xml b/reference/mysqli/mysqli/multi-query.xml
index dc30f7f0de..9667c67358 100644
--- a/reference/mysqli/mysqli/multi-query.xml
+++ b/reference/mysqli/mysqli/multi-query.xml
@@ -42,9 +42,7 @@
       <para>
        The query, as a string.
       </para>
-      <para>
-       Data inside the query should be <link linkend="mysqli.real-escape-string">properly escaped</link>.
-      </para>
+      &mysqli.sqlinjection.warning;
      </listitem>
     </varlistentry>
    </variablelist>
diff --git a/reference/mysqli/mysqli/query.xml b/reference/mysqli/mysqli/query.xml
index 3df7427eed..e240544576 100644
--- a/reference/mysqli/mysqli/query.xml
+++ b/reference/mysqli/mysqli/query.xml
@@ -77,17 +77,7 @@
       <para>
        The query string.
       </para>
-      <warning>
-       <title>Security warning: SQL injection</title>
-       <para>
-        If the query contains any variable input then 
-        <link linkend="mysqli.quickstart.prepared-statements">parameterized
-        prepared statements</link> should be used instead. Alternatively, the
-        data must be properly formatted and all strings must be escaped using 
-        the <function>mysqli_real_escape_string</function>
-        function.
-       </para>
-      </warning>
+      &mysqli.sqlinjection.warning;
      </listitem>
     </varlistentry>
     <varlistentry>
diff --git a/reference/mysqli/mysqli/real-query.xml b/reference/mysqli/mysqli/real-query.xml
index e4e5f08fc5..b7a2e4e42d 100644
--- a/reference/mysqli/mysqli/real-query.xml
+++ b/reference/mysqli/mysqli/real-query.xml
@@ -42,17 +42,7 @@
       <para>
        The query string.
       </para>
-      <warning>
-       <title>Security warning: SQL injection</title>
-       <para>
-        If the query contains any variable input then 
-        <link linkend="mysqli.quickstart.prepared-statements">parameterized
-        prepared statements</link> should be used instead. Alternatively, the
-        data must be properly formatted and all strings must be escaped using 
-        the <function>mysqli_real_escape_string</function>
-        function.
-       </para>
-      </warning>
+      &mysqli.sqlinjection.warning;
      </listitem>
     </varlistentry>
    </variablelist>
