syntax error - Login multi users

can someone please help me to fix my login code

<form action="#" method="POST">
<fieldset>
<legend>NewsLetter</legend>
<input type="text" name="studnumber" value="Username;" onfocus="this.value=(this.value=='Username;')? '' : this.value ;" />
<input type="text" name="password" value="Password;" onfocus="this.value=(this.value=='Password;')? '' : this.value ;" />
<input name="userlevel" type="hidden" value="1" />
<input type="submit" name="login" id="news_go" value="Login" />
</fieldset>


<?php
session_start();
if(isset($_POST['login']))
{
// username and password sent from form
$studnumber=$_POST['studnumber'];
$password=$_POST['password'];
$userlevel=$_POST['userlevel'];


$studnumber = stripslashes($studnumber);
$password = stripslashes($password);
$studnumber = mysql_real_escape_string($studnumber);
$password = mysql_real_escape_string($password);

$sql="SELECT userlevel FROM user WHERE studnumber='$studnumber' AND password='$password' AND userlevel='$userlevel'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

if ($count == 1)
{
if ($userlevel == 'student')
{
$_SESSION['studnumber'] = $studnumber;
$_SESSION['password'] = $password;
header("location:student/student.php");
}
else if ($userlevel == 2)
{
$_SESSION['studnumber'] = $studnumber;
$_SESSION['password'] = $password;
header("location:teacher/teacher.php");
}
}
else
{
echo "Wrong Username or Password";
}
}
?>

</form>

uh, whats not working? a description of the problem would actually be helpful.

Yea, an error or output would be helpful. But to try to help, echo out the SQL and make sure it looks correct. Then try to run the query somewhere like phpmyadmin or whatever mysql manager you use just to check if there are any rows coming back. If you see a row, call mysql_fetch_assoc on your $result and then print_r/var_dump that to see what you are getting back. perhaps also when you query, check if $result === false and if so echo mysql_error().

Some tips:

-don't use the mysql_* functions. they are deprecated and will be removed from php in a future version. use mysqli (mysql improved) or pdo. both do the same thing and are infinitely better than mysql_*. Use mysqli or pdo with binded parameters. It is simple to switch and easy to get the hang of.

-With the code the way it is, you will need to escape $userlevel also. Just because a form input is hidden, doesn't mean it can't be changed. currently your code is open to sql injection. seeing that query, if I know someone elses student number I could log in as them. for example if I wanted to login as student number 123, I could just change user level to:

Of course, this could all be fixed if you would just use mysqli/pdo with bind.

-don't store passwords in the database without hashing them first. just please don't. you should be using a hashing function to one way hash the password. this means that if you hash the password, you get a seemingly random string. everytime you hash the same password, you get the same string and given the hashed string, you can't get the original password. you can store this string in the database and when checking the password, hash what the user typed in and compare these hashed strings. This ensures that if someone dumps the data in your database, usually through sql injection, you don't show them the password of every user.