In the newest versions of PHP you need to use what are called superglobal variables to access POST and GET (and session and cookie and server) data. Drop that global at the beginning of the script since none of the variables you define are used outside the script, they don't need to be globbed.
Firstly, you need to set the form tag's action="script.php" so it actually sends data to the form
Then, in the PHP script you reference the variables as
$_POST['form_element_name'] like
PHP Code:
$safe_newpw = escapeshellarg($_POST['new_pw1']);
$safe_oldpw = escapeshellarg($_POST['old_pw']);
$safe_user = escapeshellarg($_POST['user']);
EDIT Addition: I noticed you have if ($gochange) but you don't have a form element called that. You can indeed do soemthing like this, but you need to say something like
PHP Code:
if (isset($_POST['change'])) {do everything}
where "change" is the name of your submit button, as in your example.
PS Cudos on the use of escapedshellarg()
many new php programmers don't bother escaping shell commands, as you
must.