You certainly want to store the data in some directory that is not anywhere in the HTML document-tree. (That is to say, in a place that cannot be reached by means of a URL.)
A very handy database to use, when you’d otherwise use “a flat file,” is: SQLite (http://www.sqlite.org). This is a flat-file database system (i.e. “no server required”) that, believe it or not, is in the public domain. Consequently, it winds up “damm near everywhere in the world,” probably including your own shirt-pocket. It’s rock-solid, and it works. (Like a furry warm-blooded winged denizen of the dark, freshly escaped from the domain of Beelzebub.) It might not be the cat’s meow in your situation, but it is definitely worth considering.