settings.py DATBASES protect PASSWORD

I am still new to Django, so I am still learning the ropes. That being said, in settings.py, I know there is a DATABASES dictionary for connecting to databases. Since I am using Django in conjunction with MySQL, the ‘default’ dictionary within DATABASES includes some extra information, including the user and corresponding password for the connection to the database. Since I am still new to this material, I am uncertain if including this information could potentially compromise the security of the software I am developing or pose some other threat. If so, is there a more secure way to store this information? I read something about storing sensitive data in a .env file, but I was not certain if it was the most appropriate solution, nor was a sure if it was a reliable source.

Having the database credentials in your settings file is not inherently insecure. The problem isn’t so much that those credentials are in that file - it’s that it’s too easy to make a mistake that would publicize those credentials. (For example, by checking them in to your git repository.)

However, even that situation is not necessarily a problem if the database itself is secured to restrict access to only those machines needing access to it, such as the server running Django. That means that even if someone had the database credentials, they would still need to exploit a vulnerability on the server running the app in order to gain access. (And if they had that degree of access on the app server, they could probably retrieve the credentials from it anyway.)

Personally, I am a proponent of storing some settings externally to the settings.py file, such as in a .env file - but not for reasons associated with security, or at least not strictly related to security. So yes, I would say that it is an appropriate solution for this, but not the only appropriate solution.

What about if I wanted to write a file that used the connect() and cursor() method to create a different kind of connection to the same server. Wouldn’t that file have to be hidden as well.

That depends upon where you retrieve the credentials from to make that connection. You could either use the existing credentials for your database connection, or you could add additional information into your settings file for it - in which case you would manage it in your settings like any other setting.

I was talking about a different method. However, it sounds you are saying that you could also put more than one set of connection attributes in the DATABASE dictionary in settings.py, like having more than one user and passwd value. Is that right? If so, how do you do that, and how does your code determine which one to use at any given time? If not what do you mean by additional information and managing it in settings?

See Multiple databases | Django documentation | Django

Also, you are not limited to settings that are currently defined. You can add whatever settings you want/need for any purpose for your applications. It’s just up to your code to determine how those settings will be used.

I kind of skimmed this, but can you define multiple DATABASE connections with the same database name but different users? If so, how do you switch back and forth? Also, do you have to identify which connection executes each and every command, or can you choose an existing connection in code, execute some commands, and switch to another existing connection to continue?

Don’t skim it - read it thoroughly and carefully. The answers to your questions are contained on that page - along with all the caveats.