because $group is not defined in the function you would have to either define it our pass it into the function.
also I'd recommend to escape the string to avoid sql injections. see mysql_real_escape_string
$q = "SELECT username,userlevel,email,group FROM ".TBL_USERS." WHERE user= '".mysql_real_escape_string($group)."'";
unless you know for a fact that $group is sanitized you should use mysql_real_escape_string() on any variable that you have gotten from the user. Trusted or not.