change password what is wrong?

Indenting your code will help you and others to see what's going on.

What's happening at line 26? There's an open brace for some reason.

<?php

session_start();
include 'connect.php';

if(isset($_POST['submit'])) {

//$username = $_POST['username']; 
$password = md5($_POST['currentpassword']);
$newPassword = md5($_POST['newpassword']);
$conPassword = md5($_POST['newpassword1']);
$user_id = $_SESSION['user_id'];

var_dump($user_id);
$sql = "SELECT * FROM user WHERE user_id=$user_id ";
//var_dump($sql);
mysql_select_db($dbname) or die(mysql_error());
$result = mysql_query($sql);
//mysql_fetch_assoc($result);
while($data = mysql_fetch_assoc($result) ){
$userPassword = $data['password'];      
}
if($password == $userPassword)  
{
    echo 'Entered password is incorrect';
    } 
//var_dump($newPassword);
    if ($newPassword == $conPassword) {
        $sql = "UPDATE user SET password = '$newPassword WHERE user_id = $user_id";
if($sql) 
    {
    echo 'password successfully changed';
    }
else{
    'new password and password must be the same';    
}
}
}
?>

always say pasword sucesfuly but nothing saved on the databse

Still badly formed - you're mixing your indenting styles all over the place. Try to avoid a situation where you have consecutive close braces in the same column. Here's a simple format...

session_start();
include 'connect.php';
if(isset($_POST['submit'])){
    //$username = $_POST['username']; 
    $password = md5($_POST['currentpassword']);
    $newPassword = md5($_POST['newpassword']);
    $conPassword = md5($_POST['newpassword1']);
    $user_id = $_SESSION['user_id'];
    var_dump($user_id);
    $sql = "SELECT * FROM user WHERE user_id=$user_id ";
    //var_dump($sql);
    mysql_select_db($dbname) or die(mysql_error());
    $result = mysql_query($sql);
    //mysql_fetch_assoc($result);
    while($data = mysql_fetch_assoc($result) ){
        $userPassword = $data['password'];      
    }
    if($password == $userPassword){
        echo 'Entered password is incorrect';
    } 
    //var_dump($newPassword);
    if ($newPassword == $conPassword) {
        $sql = "UPDATE user SET password = '$newPassword WHERE user_id = $user_id";
        if($sql) {
            echo 'password successfully changed';
        }else{
            'new password and password must be the same';    
        }
    }
}

No need for a while loop - there should only ever be one record per user. Anyway, you're not actually running an update query, just checking the state of a variable.

Here's how I'd do a simple one...

session_start();
require 'configs.php'; //stores salts, db connection data an other sensitive (held above public root)
require 'connect.php';

if(isset($_POST['submit'])){

    if(!$_POST['currentpassword'] || !$_POST['newpassword'] || !$_POST['newpassword1'] || $_POST['newpassword'] != $_POST['newpassword1']){
        //you could enforce also alphanumerics for the new passwords or any pattern and number of characters
        echo "Ensure that all passwords are entered and that new ones are the same and have between 8 and 20 alphanumerical characters";

    }else{

        $pw =       hash('sha512',$salt1. $_POST['currentpassword'] . $salt2);
        $pwNew =    hash('sha512',$salt1. $_POST['newpassword'] . $salt2);
        $pwConf =   hash('sha512',$salt1. $_POST['newpassword1'] . $salt2);

        $user_id = $_SESSION['user_id'];

        $sql = mysql_query("UPDATE user SET password = '$pwNew' WHERE user_id = $user_id AND password = '$pw'");
        echo (mysql_affected_rows()) ? 'Password successfully changed' : 'Your original password was incorrect';    
    }
}

Just to add about why exactly your code isn't working:

26. if ($newPassword == $conPassword) {
27.     $sql = "UPDATE user SET password = '$newPassword WHERE user_id = $user_id";
28.     if($sql) 
29.     {
30.         echo 'password successfully changed';
31.     }
32.     else{
33.        'new password and password must be the same';    
34.     }
35. }

First, your query on line 27 has a problem. SET password = '$newPassword WHERE is missing a second quote after $newPassword, which will break your entire query and give you a MySQL error. You're not getting the error for the same reason your data isn't being updated: The query is never actually run. The statement in line 27 only assigns your query to a text variable, it doesn't do any kind of actual MySQL operation. See lines 19 and 20 from diafol's last post for an example of how to run a query, but basically you need to pass the query to mysql_query() and then check mysql_affected_rows(), if the change is successful, mysql_affected_rows will be 1+, if not, it will be 0(this can also mean the old password is the same as the new one).

thanks guys now its working!

will that script work for any html form??is there any need for some database field changes??@everyone