Well, if I read your code correctly, you accept the output filename from the client. I think you should untaint the filename (make sure it doesn't contain any dangereous characters) - in particular, you might want to make sure the user couldn't put the file in a directory other than the one you intended for them.

I don't recall right now if the ../ thing works for windows systems (like you appear to be using), but that's one of the things you might want to check for.

You might also want to decide if overwriting the files already in the directory should be permitted or not. Currently, you don't check for that, so a file might be overwritten either by mistake or through malicious action.