Using a database API allows an application to communicate with the database server programmatically, offering a secure and standardized method for performing database operations like query execution and data manipulation. It abstracts the complexity and helps prevent SQL injection attacks by using prepared statements and parameterized queries. On the other hand, building SQL queries by directly concatenating user inputs can be prone to SQL injection attacks. Using command-line tools is not practical for a web application because it is not dynamic and can be insecure if proper precautions are not taken. While stored procedures are a secure way to execute pre-defined SQL statements, they are not a direct method of achieving programmatic access from a web application.