Oreillynet.com has a story on that very topic. "Since PHP is most commonly used as an Apache module, it
derives its security model to a large degree from Apache,
which, if configured properly, is a very secure environment.
In cases where PHP is used as a CGI, this benefit is lost."
March 31, 2001