Yeah I do something like that.
Customer wants to buy something
Order info is put into DB as unpaid
Get order ID # (I use auto_increment primary key)
Send order ID# in PayPal link, use the variable they have for product number
The IPN then gets the "product" number which is really the order number
IPN checks they paid the correct amount and if so it will mark the order as paid
Doing this way requires you use a link instead of a secure button which is why the price check is necessary. I've been using it on a few sites for months with no problems or even attempts at messing with the price.
