I am running a web-based database application for my school district, and we have decided that it needs better security. I have picked up a few pieces of this puzzle, but I'm having trouble putting it all together.

My configuration:

Linux Redhat 7.1
Apache 1.3.19 (Configured with mod_ssl)
Mysql 3.23.38
php 4.0.4

Where do I go from here? Does apache have to be recompiled with other modules? Do I need to purchase a certificate from Verisign? How does one establish which pages are sent securely, and which ones aren't? Is this done through apache, or through the php scripts themselves?

Your help will be much appreciated...