First of all, read up on Membership Providers in ASP.NET. What you are doing is a very common task, so MS built in a pattern for Membership into ASP.NET. You can create a Membership Provider based on your database, and then you can specify permissions in the Web.config instead of having to check every page or use the Context.User.IsInRole("Administrators")` which would still work if, say, you switched your membership database to something like Active Directory.
To answer the code question you asked on how to use bound parameters, it would be something like (in C#, since this question is tagged C#)
var myConnection = new MySqlConnection("connection string"); var mySqlCommand = new MySqlCommand("SELECT COUNT(*) FROM tbl_staff WHERE username = @username AND 'group_id' = '1001'"); mySqlCommand.AddWithValue("@username", username); int count = (int)mySqlCommand.ExecuteScalar(); bool isInGroup = count > 0;