Some very small applications that do not require a database such as MySQL or Firebird can store data in TXT files.
First, pay attention to where is the root of the webserver. For example, by default Apache2 in Ubuntu uses the path /var/www/html.
If this is your case consider storing the data outside this tree, for example, /data or even /var/www/data.
Assuming that your application requires a user and password to get access to the page, use the same password as part of the hash for the encryption. It prevents one user to have the same decrypt hash as the other (unless they use the same password).
<?php
$password = 'a1b2c3d4';
$message = "This is the unencrypted message.";
// SHOWING THE MESSAGE NOT ENCRYPTING YET
echo $message.'<br><br>';
// ENCRYPTING THE VARUABLE $MESSAGE
$cipher_method = 'aes-128-ctr';
$enc_key = openssl_digest(sha1($password), 'SHA256', TRUE);
$enc_iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($cipher_method));
$crypted_message = openssl_encrypt($message, $cipher_method, $enc_key, 0, $enc_iv) . "::" . bin2hex($enc_iv);
unset($token, $cipher_method, $enc_key, $enc_iv);
// SHOWING MESSAGE ALREADY ENCRYPTED
echo $crypted_message.'<br><br>';
// DECRYPTING THE MESSAGE
list($crypted_token, $enc_iv) = explode("::", $crypted_message);
$cipher_method = 'aes-128-ctr';
$enc_key = openssl_digest(sha1($password), 'SHA256', TRUE);
$message = openssl_decrypt($crypted_token, $cipher_method, $enc_key, 0, hex2bin($enc_iv));
unset($crypted_token, $cipher_method, $enc_key, $enc_iv);
// SHOWING THE MESSAGE DECRYPTED AGAIN
echo $message;
?>
Note that the variable ‘$password‘ is part of the hash and will be different for every user. If someone has access to the code will not have all the pieces of the puzzle to decrypt the data.
Feel free to copy, paste, and run the code above and see how it works.