When I get a notification of payment thru IPN, I need to know which of my users paid it.
A recommended way is to add a hidden "custom" field to the "buy now button"'s form, which will be passed back by IPN.
However, I think malicious user can take advantage of it. For example, let's say userA and userB are both users of siteC. UserA knows html, and he makes an "buy now button" but copying what there is on siteC, and set the "custom" field as "userA's Id" and somehow let userB click this button.
In this case, when userB pays it, he doesn't pay for himself but for userA.
How to address this problem?
Any html <form /> field can be trivially manipulated/tampered with. "Never trust the client" is the operative mindset and requires validating any data submitted to your application prior to acting on it.
You can think of using that field for hashing or encrypting the data you send/expect and subsequently verify or decrypt respectively when echoed back to your application.
If feasible, look into options provided by Paypal to secure your payment buttons - so you don't have to do it yourself..or at least not "all" of it...
Hth...