Please tell me that isn't production code.
You HAVE TO typecheck, validate and escape EVERYTHING before sending it to SQL.
Getting the information just takes another query to the database. You could theoretically just make this another php file or set up your original one to either send or recieve based on a query parameter, and it could format that information as JSON for an ajax call to that file.
something like this should work (assuming typos because i'm sleep deprived):
$uname = null;
$score = null;
if(isset($_GET['fname'], $_GET['testy'])){
... connect to the db
$uname = trim(strip_tags($_GET['fname'])); // remove malicious code
$uname = str_replace("\0", "", $uname); // remove poison bytes
// verify int and min/max values
if(filter_var($_GET['testy'], FILTER_VALIDATE_INT, array('options'=>array('min_range'=>0, 'max_range' => (?) ))){
$score = str_replace("\0", "", $_GET['testy']); // just because you're paranoid don't mean they're not after you
}
if(isset($score, $uname)){
mysql_query("INSERT INTO chat (playerid, text) VALUES ('".mysql_real_escape_string($username)."',".intval($score).")");
}
}