A minor insecurity:
INSERT ... SHA1('fantasticfour')
passes the password across the network in 'plaintext'. That is, a serious hacker could "sniff packets" and see the pwd. You could validly argue that this application does need to worry that much about security.

An alternative is to do the SHA1 in your code (PHP or whatever) and pass only the resulting hex string between PHP and the database:

$hex = sha1($_POST['pwd']);
INSERT INTO ... VALUES (... '$hex' ...)
and
$pwd = SELECT pwd FROM Users WHERE userid = '...';
if ($pwd == sha1($_POST['pwd']) { login is ok } else { ... }