PHP PayPal payment validation

I'm developing a site for a client, and he wants people to be able to buy licenses/support contracts via PayPal. What I'm stumped 开发者_如何转开发on is how I can make the payments secure. My current idea is to generate a random string using MD5 or whatever, plug this into a database, and send it along with the rest of the PayPal button code. When the payment is completed, the user is redirected to a PHP page where there is code to update their information in the database. The only thing stopping a hacker giving themselves a license/whatever without paying is the random hash, which can be found out using a sniffer of some sort, and plugged into the POST data returned by the PayPal code.

So. My question is this: How do I execute custom PHP code only on a successful PayPal payment, without leaving any loopholes open for the more evil users of the interwebs?

I think you should use a Payment Gateway such as PayFlow

if you're on the website ready to pay, there maybe a session already with your user logged in?

in this scenario, when the user returns back to the website, you can check you have a particular session variable and if it exists, you do the following

1) check your session, do you have a user logged in? should still be logged in if you just visited paypal a few minutes ago.

2) does the session contain your sale_id?

3) if no, dump the user on the home page, remember to header("Location..."); die("DEAD"). the die() part is important

4) if yes, check the sale_id was paid, the notify url should have caught the POSTED payment data, if valid, allow them to update the data

5) if yes, but not valid, allow them to repay using another method, this means to redirect them to another page to attempt to pay again, but don't let them access the "change details" page, the only way you get there, is by strictly validating the payment was successful.

how does that work for you ?