Is it generally a bad idea to encrypt database fields?
General comments. It sounds like it would be helpful for you and your boss to learn some basic security concepts, before proceeding. Security is a specialized field. You wouldn't ask a random person on the street to perform open-heart surgery on you; and you shouldn't expect an average software developer to know how to secure your systems.
I sense some misconceptions here. For instance, it sounds like your boss has equated security with cryptography. But this is a mistake. As Bruce Schneier has emphasized, Cryptography is not magic pixie dust that you can sprinkle on a system to make it secure. And as Roger Needham once famously said, If you think cryptography will solve your problem, either you don't understand cryptography, or you don't understand your problem.
When securing a computer system, one important concept is the threat model. This means you need to think carefully about what kinds of attacks and adversaries you are trying to stop, and what you aren't. A failure to think through the threat model clearly can lead to security theater: security mechanisms that look good on first glance, but actually are woefully inadequate in practice. Good security management often comes down to risk management: careful analysis of what are the most serious risks, and then devising strategies to mitigate or manage those particular risks.
It is also important to understand that security is a weakest-link property: the security of your system is only as strong as the weakest link. A vulnerability in any one part of the system can compromise the security of the entire system. This means that there's no one answer that's going to be sufficient to protect your system; instead, to defend your system, you have to get security right in a number of places.
Diving into details. It sounds like your goals are to prevent unauthorized disclosure of sensitive data. If so, you're going to need to focus on a number of items. There's no one simple magic silver bullet that is going to solve this for you; you are going to need to work on application security generally.
Let me suggest some things that should be priorities for you, if I've understood your goals correctly:
Application security. You need to start studying up on web application security. It doesn't matter how much crypto you throw at the problem; if an attacker can find a security hole in your application code, you are hosed. For background on web application security, OWASP has many excellent resources. Make sure you learn about the OWASP Top Ten, about XSS, SQL injection, input sanitization/validation, output escaping, whitelisting, and other concepts.
Access control. Your web application needs to have solid access controls, to ensure that one user of your system cannot access information of another user (without authorization). The details of this will depend upon the specifics of your particular system, so if you want additional help on this, you'll probably need to post a separate question with more details about your application and your current strategy for access control.
Authentication. Your web application will need a way to authenticate its users. The standard least-effort scheme is to just use a username and password. However, this has serious limitations in practice that are well-understood. If users choose their own passwords, they often choose poor passwords, and this can subvert the security of your system.
Secure software development lifecycle. You need to integrate security into the software development process. When you work out the software architecture, you should be thinking about the security requirements and performing threat modelling and architectural risk analysis. When writing code, you need to know about common implementation errors that can breach security and make sure to avoid them. After the software is built, you need to test its security and constantly evaluate how you are doing at security. When you deploy the software, your operations folks need to know how to manage it securely. Microsoft has some excellent resources on the secure software development lifecycle (SDL). See also BSIMM for more.
Security assessment. If you are concerned about security, I suggest having the security of your application assessed. A simple starting point might be to have someone perform a pentest of your web application, to check for certain kinds of common errors. This is by no means a guarantee of security, but sometimes it can help serve as a wakeup call if there are many major problems present. You might look at WhiteHat Security's services; there are also many others who will perform web pentesting.
If you are getting the sense that this is not a trivial undertaking, I apologize, but that is indeed the case. On the other hand, the good news is that there are a lot of resources out there, and moreover, you don't need to become an expert-level security guru: you just need to become familiar with some basic concepts and some common security mistakes in web programming, and that will take care of most of your needs.
Encrypting the data in the database will protect the information if the database is somehow stolen. But, it won't do anything to protect against the website being attacked. For example by guessing a username/password.
It might slow someone down if they have compromised the server because they have to find the key but it won't stop them. It also does come at a potentially high price. For example, the encrypted fields are no longer searchable in any efficient way.
You also need to be aware of the backup implications and ensure the key is backed up, preferably separately to the database backups to prevent the database from being decrypted if a backup tape is stolen. AND you need to ensure you have several copies of the key and TEST them regularly.
A good concept from SoA is to have a crypto service, running isolated from other processes on your server (your web app should also run isolated!). Then when you need to encrypt/decrypt an object/field, you send plaintext/crypttext to crypto service and you are returned with crypttext/plaintext. This way, even if your web app gets compromised, the attacker cannot read the encryption key, because only crypto service knows the key. Also, because your web app is isolated, what he could do on your system is severely limited. Service isolation is usually done with MAC system like SElinux, TOMOYO (much easier to use than SElinux imo), AppArmor. Also I'd recommend running the latest linux kernel patched with grsecurity.