On a web shopping cart written in PHP, should I check IP address everytime?

Are too many people on rotating IP for th开发者_高级运维is to be a good security measure (among others of course) or is this a standard practice?

Also can anybody enlighten me on some concepts I should pay particular attention to in securing a shopping cart?

So far I have form validation, rotating session keys, no sensitive information is stored as a cookie or by javascript, SSL encryption, and all SQL is escaped.

To quote 0xA3:

I don't think that this is a good idea. Subsequent request from the same users might not necessarily come from the same IP address because the request might come from a different proxy. IIRC this used to be the case for all AOL users and might be the case for other providers or some corporate networks, too.

It is better to secure your session with page tokens to prevent highjacking a session.

It'd eliminate any chance of mobile users using your site - they're generally all behind NAT gateways and would appear to come from only a few IPs for each provider.