This script is possibly vulnerable to code execution attacks.
Code injection vulnerabilities occur where the output or content served from a Web application can be manipulated in such a way that it triggers server-side code execution. In some poorly written Web applications that allow users to modify server-side files (such as by posting to a message board or guestbook) it is sometimes possible to inject code in the scripting language of the application itself.
A malicious user may execute arbitrary system commands with the permissions of the web server.
Your script should filter metacharacters from user input.
Security Focus - Penetration Testing for Web Applications (Part Two)
OWASP PHP Top 5
Code Execution Security Vulnerability