is a MySQL reserved word, and should not be used as a column name, if you do, it needs to be escaped with backticks:
$query="UPDATE users SET `password`='$password',username='$username' WHERE id= $id ";
But ... never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.
] - the code is C#, but it's pretty obvious and you will find similar hashing code for php online.
And remember: if this is web based and you have any European Union users then GDPR applies and that means you need to handle passwords as sensitive data and store them in a safe and secure manner. Text is neither of those and the fines can be .... um ... outstanding. In December 2018 a German company received a relatively low fine of €20,000 for just that.