Thanks for the suggestions. I know this implementation has more holes than a swiss cheese, but I will try to plug them as I figure out how to deal with js callbacks :)
And you may very well know this, but keep in mind that if this is on a LAN only and not port forwarded in from the internet, that substantially reduces your exposure; to exploit anything on your server code they'd need to be running behind your firewall. And there are probably juicier targets at that point.