So I have a product. In order for users to buy it, they need to create an account. That account will later be used to access my product.
My question is this: What information do I ask the user for upon registration (before payment)? I will need something to compare with, whenever Paypal sends a Notification. What I mean by that is this: if I only ask for a username and password - how will I know that it was that specific user that paid, and update the database accordingly?
Obviously I would want to require firstname, lastname, and E-Mail aswell. The reason I presented the above situation, was because I see other membership sites that ask for an E-Mail (not PayPal email), but they cant be sure that the firstname, lastname, and/or email match the info the customer has on their PayPal.
To make it short: How do I update the clients account whenever I receive a Notification (set the Active field in the Database to TRUE, or something), and what information do I verify/validate with?
If my question is not clear enough, please do not hesitate to let me know. :)
Well, I don't think it's really any different then the normal "how do I really know that product X was really paid for via PayPal". Your "product" here is a membership subscription, not a physical product, otherwise it's essentially the same.
When you send the user to PayPal, just send a unique identifier for the user along in the PayPal data. (You can just use the id of the user table, if you don't want to create a "product" to sell.) Pass this along using either the "custom" field or the "item_number" field. PayPal will pass both these pieces of information back to you in the IPN, and you can use that to verify that a payment was made for that user.
If you were worried about users spoofing payments on behalf of other users you can a) encrypt all the data that you send to PayPal and b) set your PayPal settings to only accept encrypted shopping cart data for your account.
EDIT: Lots more specific information on passing information to PayPal:
There are many, many variables that you can use to send information to PayPal. Assuming that you are using Website Payments Standard and the shopping cart functionality, this can be divided into two buckets.
Not all of that information is passed back to you in in the IPN. To see what is passed back to you in the IPN, look at the "Sample IPN Message" section here: https://cms.paypal.com/cgi-bin/marketingweb?cmd=_render-content&content_ID=developer/e_howto_admin_IPNIntro.
What you need is a piece of information that a) you pass to PayPal to uniquely identify a user and b) PayPal passes back to you in the IPN.
I suggest that you use the variable called "custom" for this purpose. (See Table 4: HTML Variables for Payment Transactions.)
What exactly you pass in the "custom" variable is up to you. You could send a) the id for the user in your user table, b) their registered email address on your site, c) some hash of one of those... it doesn't really matter as long as it uniquely identifies the user, so that when you get the IPN back you can say "I know this payment is for User X".