guicole: the file is written on the server end.
This is secure. The lack of security might come from the method you interface, and allow user to call through an ajax call.
Consider the server and your game as two different applications on two different computers (even if you're running the server locally). The server runs PHP scripts (for example) and can receive ajax calls (call to an url that will execute the designed script).
The file/database is on your server's computer. One can only access the file if he accesses the server physicaly or use a script that acts on the file. (ex: myurl.some/thisisascript.php => writes in the file "player - 10000" because this is what thisisascript.php is written to do)
As said earlier, it all depends on the way your script is made.
The current example would allow anyone with a browser to try to reach myurl.some/thisisascript.php and write in the file a false nick/score if there isn't any checking applied on the values before "saving" them/writing them to the file.
I hope I'm making sense. ^^