It's probably best to not just have your sql open to any query it gets.
A really simple solution would be to sanitize the data via PHP on the back end so that the only thing that would ever happen from an AJAX call would be that a number is added to the high score. That way, even if they tried to send an injection, it would end up as just a number, and dropped on the high score.
More advanced would be to format the number in a specific way so that if any other number was received (such as an injection attack), it wouldn't even add that false high score.
I would suggest a PDO operation, instead of mysqli, but if that's not an option for you, you can still sanitize mysqli.