What you must appreciate is that records stored in DBMSs are simply placed in plain text files, with a slightly different file organization and indexing structure perhaps managed by MsSQL server / MySQL / Oracle / POSGRES as opposed to the Operating system's File system's component. So there is really not much sense in avoiding databases.

The other thing is that could look at revision control systems such as git (preferred) and / or svn (alternate) for managing flat files but with a Wiki type of system like Trac [ http://en.wikipedia.org/wiki/Trac ] or Redmine [ http://en.wikipedia.org/wiki/Redmine ] on top since it is eaier to hook them onto svn / git / mercurial, etc. The trick is getting the end users monitoring and reporting complaints to check-out / in their changes without actually pulling and pushing changes to the server using the repos clients.(Really???).

The last thing I would like to mention is that you can avoid SQL injection attacks COMPLETELY by either using prepared statements (like in JAVA) or using stored procedures to query data from your dbs easily. Most languages offer simple data structures like dictionaries / associative arrays to handle records coming from a database.

As I said before, avoiding dbms even the lightweight ones for such a system is similar to going down a slippery slope :D. The major problem you will have is when your site starts getting high traffic from different sources and you are forced to do heavy queries against the records it holds.