Both your input fields are called “level”, they need to have different names. Yes, as per your update.
I would just include the level that you wish to upgrade the user to as a hidden variable in your form, that way you can use the same submit code whether you’re upping them to level 2 or level 1. There’s no need to pass through the current permission level - you could retrieve that in the update code based on the user id if you need it.
Also this bit:
$updateLevel_1 = dbConnect()->prepare("UPDATE users SET level = '1' WHERE username = '$username'");
$updateLevel_1->execute();could use some changes. You’ve gone to the trouble of using a prepared statement, but then not used the power and security of bound parameters. Something like
$updateLevel_1 = dbConnect()->prepare("UPDATE users SET level = ':level' WHERE username = :user ");
$updateLevel_1->execute(array(':user' => $username, ':level' => $newlevel));or using bindParam() instead.
And another question would be where the username is coming from. You pass the id value in your form, so you would need to use this to determine which user you are updating, not the username.