I process my payments manually but this of course can cause a few hours of delay to process orders. What's a good way to confirm that a paypal payment was really made and that's hard to scam to prevent people from sending a false "payment received" signal to get the service for free? I'm thinking maybe something that makes a random number and passes it to paypal in the "payment ok return address" and then my website confirms the same number is returned, but how would I prevent people from just manually calling that url with the random number in it? Thanks
This is what IPN is for , the payment variables are sent to Paypal for verification ... if there is an error paypal returns false. Just use any paypal ipn script. It works really well.
PayPal does not show your return URL with the full parameters. The parameters (the random number, transaction id, etc...) are normally sent to your URL directly from the PayPal server.
Over here: https://www.paypal.com/ipn It's used to send notifications of payments, reversals, refunds, chargebacks, disputes, etc.