Untitled

<?php
session_start();
include"config.php";
//if there trying to login
if(isset($_GET['login'])) {
//removes sql injections from the data
$username= htmlspecialchars(addslashes($_POST[username]));
//encrypts the password
$password = sha1(md5(md5(sha1(md5(sha1(sha1(md5($_POST[password]))))))));
//gets the username data from the members database
$uinfo = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error());
//see if the user exists
$checkuser = mysql_num_rows($uinfo);
//if user name not found in database error
if($checkuser == '0')
{
echo "Sorry, that username doesnt exist.";
}else{
//fetch the sql
$udata = mysql_fetch_array($uinfo);
//checks see if the account is verified
if($udata[userlevel] == 1) {
echo "Please verify your account.";
}
//if it is continue
else
//if the db password and the logged in password are the same login
if($udata[password] == $password) {
$query = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error());
//fetchs the sql
$user = mysql_fetch_array($query);
//sets the logged session
$_SESSION['id'] = "$user[id]";
$_SESSION['password'] = "$user[password]";
if($user[userlevel] == 0){
echo"The account you are trying to access has been banned.";
}else{
echo "<center><img src='images/loading.gif'></center>"; //If you change the 0 below, maybe keep the loading image?
//redirects them
echo "<meta http-equiv='Refresh' content='0'/>"; //change the 0 to how long you want it to wait
}
}
//wrong password
else{
echo "Unvalid username and password combination.";
}
}
}else{
//If not the above show the login form
echo "Login form goes here";
}
?>