PDO - cambio password "Query non funziona"

[LedGiallo]

Salve sto facendo un cambio password tramite pin, ma non so come mai mi da questo errore:

codice:

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SET users password='demo' WHERE username='admin' and pin='91e82999cf7e45da1070e' at line 1' in D:\xampp\htdocs\db\admin\forgot.php:37 Stack trace: #0 D:\xampp\htdocs\db\admin\forgot.php(37): PDOStatement->execute() #1 {main} thrown in D:\xampp\htdocs\db\admin\forgot.php on line 37

il codice è questo:

codice:

<?php	include("inc.php");
	session_start();
    if(isset($_POST['login'])){


	$password = $_POST["password"];
	$username =  $_POST['username'];
	$pin =  $_POST['pin'];
	
	if(empty($username))
	{
		$error = "Username non inserito";
		
	}elseif(empty($pin))
	{
		$error = "Pin non inserito";
	}
	else
	{
		$md5_pin = md5($_POST["pin"]);


		$query = $db->prepare("SELECT * FROM users WHERE username=:username AND pin=:pin");
        $query->bindParam(':username', $_POST['username']);
        $query->bindParam(':pin', $md5_pin);


		$query->execute();


        if($row = $query->fetch()){
		
			$md5_row_pin = $row["pin"];
			
			$query = $db->prepare("UPDATE SET users  password=:password WHERE username=:username and pin=:pin");
				
			$query->bindParam(':username', $row['username']);
			$query->bindParam(':pin',$md5_row_pin );
			$query->bindParam(':password', $_POST['password']);
			$query->execute();
            $msg = "Fatto";
        }else
		{
            echo 'ERROR';
        }
    }
}
?>
<!DOCTYPE html>
<html>
<meta charset="utf-8">
<head>
<title>Recupera/Cambia password dal pin</title>
</head>
<body>
<h1>Recupera/Cambia password dal pin</h1>
<?php
  if(isset($error)){ echo "<p class=\"info_error\">".$error."</p>";}
if(isset($msg)){ echo $msg;} else {
?>
<form method="POST">
<table width="960px">
<tr>
<td>Username</td>
<td><input type="text" name="username" value="<?php if(isset($_POST['username'])){echo htmlspecialchars($_POST['username']);}?>"></td>
</tr>
<tr>
<td>Pin</td>
<td><input type="password" name="pin" value="<?php if(isset($_POST['pin'])){echo htmlspecialchars($_POST['pin']);}?>"></td>
</tr>
<tr>
<td>Inserire nuova password</td>
<td><input type="password" name="password" value="<?php if(isset($_POST['password'])){echo htmlspecialchars($_POST['password']);}?>"></td>
</tr>
<tr>
<td></td>
<td><input type="submit" name="login"></td>
</tr>
</table>
</form>
<?php
}
?>
</body>
</html>

idea? come posso risolvere il problema .. ?

grazie mille.