PHP Security :: URL access control

I'm trying to set up a secured page using PHP that can only be accessed after a visiter has paid using PayPal. Basically, this is what would happen:

1. a user would choose a subscription on Server A.
2. user would be redirected to PayPal
3. on "success" PayPal will refer back to a page on Server A where a user can fill out a form and submit information into MySQL DB

I wouldn't want someone to reach step 3 without paying due to the garbage that could end up in the database. What can I do to prevent that since I am redirecting to PayPal and then being pulled back to my site?

I understand that $_SERVER["HTTP_REFERER"] is a bad idea, and it's too unpredictable anyway. What are some alternatives? Has anyone encountered anything like this?

Thanks in advance. I'm pulling my hair out here...and I don't have much to spare

Will $_SESSION variables last if you leave your domain and come back based on clicks, etc.? I know it won't if you type the address in manually...

In my experience with Paypal, I've been given a button to add to my site. It included hidden parameters named "return" and "cancel_return" in which I could specify urls for Paypal to redirect to. Perhaps you could append session ids or something to these URLs to validate the return link against. Or on page load, generate an md5 hash that you send along with the return/cancel URL. You'd stick this hash in your database on page load as well. The return page would check the hash passed against those in the database and do additional tasks as needed. You'd also need a pruning cron script to clear out old hashes. This isn't fully secure or anything, obviously.