I read some hosting company stated that:

Apache's mod_php3: Everything which run as the web server's username, which is not secure. You should use the external shell instead, and run your php3 as CGI.

However, my hosting company is using apache's mod_php. Is that safe?

If you have your own hosted server, sure. If you're sharing space on a server with others, no, it really isn't safe.

Running it in safe mode will restrict it enough so you can't get out of your own directory, but things like databases often need better security to be secure as well.

U means it is not safe for mod_php in a shared server?

That's right. It is not safe on a shared server. My server uses the php4 CGI, and each users files run under their own user account. The files all share the same group, so it is up to my users to make php files which contain passwords or sensetive code non-group-readable.

Rich.