Can someone help me with below script, this is script for change password. But it always can't recognize the old password. i'm really thankfull for your comments..

//$_SESSION["userId"] = $_POST['id'];
//$userId = $_POST['id'];

//Cek Login

    if ($_SESSION['level']==user) {

        $namaLgkp = $_SESSION['username'];

if(count($_POST)>0) {
$result = mysql_query("SELECT *from tb_user WHERE id='" . $_SESSION["userId"] . "'");
if($_POST["pwlama"] == $row["password"]) {
mysql_query("UPDATE tb_user set password='" . $_POST["pwbaru"] . "' WHERE id='" . $_SESSION["userId"] . "'");
$message = "Password berhasil diganti";
} else $message = "Password lama salah";

<title>Online Ticketing</title>
<!-- CSS -->
<link href="style/css/layout.css" rel="stylesheet" type="text/css" media="screen" />
function passwordck() {
var pwlama,pwbaru,pwbarulg,output = true;

pwlama = document.frmpwd.pwlama;
pwbaru = document.frmpwd.pwbaru;
pwbarulg = document.frmpwd.pwbarulg;

if(!pwlama.value) {
    document.getElementById("pwlama").innerHTML = "required";
    output = false;
else if(!pwbaru.value) {
    document.getElementById("pwbaru").innerHTML = "required";
    output = false;
else if(!pwbarulg.value) {
    document.getElementById("pwbarulg").innerHTML = "required";
    output = false;
if(pwbaru.value != pwbarulg.value) {
    document.getElementById("pwbarulg").innerHTML = "not same";
    output = false;
return output;
<form name="frmpwd" method="post" action="" onSubmit="return passwordck()">
<div class="message"><?php if(isset($message)) { echo $message; } ?></div>
    <div id="wrapper">

       <!-- Batas awal menu atas -->
        <ul id="menu">
            <li><a href="duser.php">DASHBOARD</a></li> 
            <li><a href="staticuser.php">TICKET</a></li>
            <li><a href="passuser.php"  class="active">PASSWORD</a></li><!-- untuk menu  utama yang sedang dipilih  -->
            <li class="logout"><a href="logout.php">LOGOUT</a></li>
        <!-- Batas akhir menu atas -->

        <!-- Batas awal background layar -->
        <div id="backgroundlayar">

            <!-- Batas awal kertas -->
            <div id="kertas">
                <!-- Batas awal kotakkiri -->
                <div id="kotakkiri">

                    <!-- Batas awal menu kiri -->
                    <ul class="menukiri">
                        <li><a href="passuser.php" class="active">NEW PASSWORD</a></li> 
                    <!-- batas akhir menu kiri-->

                <!-- batas akhir kotaks kiri -->

                <h2><a href="duser.php">Dashboard</a> » <a href="passuser.php" class="active">Password</a></h2>

                <div id="utama">
                    <form action="" >

                    <h3 align="center">Gantilah Password Secara Berkala</h3>

                    <form action="" method="post">
                    <p><label>Nama:</label> <input type="text" name="nama" value="<?php echo $namaLgkp ?>"/><br/></p>
                    <p><label>Password lama: </label><input type="password" name="pwlama" required="required"/>
                    <p><label>Password baru:</label> <input type="password" name="pwbaru" required="required"/>
                    <p><label>Ketik ulang password baru:</label> <input type="password" name="pwbarulg" required="required"/>

                    <input type="submit" value="Update"/>

                <!-- batas akhir utama -->

                <div class="clear"></div>
            <!-- batas akhir kertas -->

        <!-- batas akhir background layar -->

         <!-- Batas awal kaki -->
        <p id="kaki">Copyright © 2014 <a href="#">Online Ticketing Support</a></p>
        <!-- batas akhir kaki -->

    <!-- wrapper -->


    else {

    header('location: akses.php');

why is this commented out?
//$_SESSION["userId"] = $_POST['id'];
//$userId = $_POST['id'];

and put
at the begining

it still doesn't work
error message: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\Skripsi\passuser.php on line 19

On line 11 is user a constant? Put it between quotes if not. Also, on line 18 put a space between asterisk and from.

Do an echo $_SESSION['userId'] to see if it returns anything, and if it does make sure that id is in the tb_user table (in the database)

Well... it would be nice to set the problem status to "solved" and maybe up-vote some comments...