You can define your database parameters (host, user, sslmode, ..., not password) in
the file ~/.pg_service.conf which saves you editing the code or program your own
config file.
Additionally you can put passwords in ~/.pgpass which might indeed be saver than in
the code.
Read the pg docs about it, it is well described, but somewhat hidden (search for the
file names)
These nice features depend of course on the usage of the pg client lib (which is the
case in Tcl).
I had this working even for a web server, by putting these files into the web server
home dir.
/Str.