Make a back-up of the code now.
Version control.
Create a test site. Is the site running under Apache? You can even install Apache+ PHP + MySQL on your own computer, and use that for testing.
Deal with security issues. Make sure the site is protected from sql injection, and from email injection. At the very least, you can do a search for database calls and add calls to mysql_real_escape_string() (well, if it's using a MySQL database) ... you can do a real fix later once you understand the code better. For the email injection ... write a filter function that filters out spammer code, and make sure all form fields that are used in an email are filtered. (Yeah it adds more spagetti code, but it's going to take a while before you're ready to significantly refactor the code.)
After that, I suggest incremental upgrades. You're new and the code is a higgleypiggley mess, so it's going to take a while to understand it all ... and to fully understand the domain. So just go about your job for a bit, fixing what needs to be fixed, adding what needs to be added. As you're doing so, you're learning how the system is put together. Once you know how the code is organized (or not organized) a little better, you can start planning a major refactoring/rewriting of the system. Hopefully you can do it component by component so you've always got a new milestone in the offing.
