A couple of hints:

Looking at the code, you're using some very outdated (and problematic) constructs:

1. You're not using warnings / -w or strict. That will hurt you when your script grows any larger than this. It's also cumbersome to retro-actively make scripts strict-compliant. You should make it a habit to start any script you write with

#!/usr/bin/perl -w
use strict;
[download]

2. Calling subroutines as &sub_name; passes the current argument list to the called sub. That's almost never what you want. To be safe you should call subroutines with parentheses, i.e. sub_name( possible arguments here )

3. You should probably not parse CGI parameters by hand. For one thing, your code doesn't handle multi-part encoded forms or the - suggested but not required by the standard - use of ";" instead of "&" as a parameter separator. The canonical module to handle CGI parameters is CGI from the standard distribution.

4. You don't check if your open() call succeeds. Also, using the 3-argument form of open is clearer and has less "issues". See the link. Something like open (FILE,">>",$UserDB) or die "Can't open $UserDB: $!"; is a better way of handling this.

5. It looks like your password file is accessible to outsiders via the webserver. You should probably put it somewhere outside the document root.

Sidenote: You're writing passwords to a file, but you don't seem to be checking if the current user has permission to do that. Note that ANYONE who opens the url "http://yourhost/yourscript.cgi?password=mypassword&companycode=mycompanycode" can currently add a password.

You're also not using the passwords anywhere else. Is this part of a larger system?