I have created an online PHP code executor at http://web.guru99.com
Though I have checked all security aspects … do you experts see any major flaw that I need to care of?

No matter what I enter, I get: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING so I'd say it's secure enough... ;)

You should disable system() and similar functions. At the moment I can list root of the server. Also consider to run this into a jail root.

RecursiveDirectoryIterator and include / include_once / require / require_once should be blocked too.

Sorry for the update, but finally I remembered the name of the library, consider to move the app to runkit:

You can create a sandbox and so you can limit most of the problems.