you can put a password on a database. with a text file its all there and accessable if somone knows the direct path to said text file(s).
Sounds like you can't handle a server. With the right settings there is no security risk whatsoever, beside maybe bugs in the server software, but they are usually well tested (especially Apache and Nginx).
Btw, its also possible to fail to secure a database so that everyone has access to it. For example by not validating any input.
also with a database you can control which user has access to which part of the database etc.
Why would I want to have user access? Normally everything is routed through a webservice which has access to the database.
Anyway, about encryption, usually you want to use HTTPS instead of HTTP, and before trusting the HTTPS connection (hey, man in the middle attacks work there too), you should validate the certificate, the CA of the certificate and if the certificate was revoked (something most HTTPS implementations never do). You don't need to encrypt what you put into the database, however, don't even dare to put passwords in plain text into it. Always save a salted hash of the user passwords and try to make the salt as random as possible. You also should consider SHA256 as hashing algorithm because MD5 and SHA1 are considered more or less broken by now.
