The "if" check uses a value comparison, which protects against SQL injection. Your dynamic queries correctly implement placeholders. From a security perspective, the code looks good as long as the leaderboard columns don't contain sensitive data.