This is a file permissions issue with your webserver, really not much you could do with the code. You will need to either move to file to another directory and update the script to load this new file location. You could restrict privs on the file so that only the webserver process can read the file, but all your web requests will come in with this same user anyway. If you don't have any control over your server(which is how it sounds) then this won't work either.
in reply to How to prevent database from listing/viewing?
The only change required to move this file would be updating this line to point to a different dir:
my $CSV_file = "database.txt";
my $CSV_file = "hidden/dir/database.txt";