You could check the HTTP REFERER server variable and only allow access to the page if they are sent from a paypal.com address.

What I do with Paypal is this: I have Paypal set up to do what's called a SILENT BACKGROUND POST. In essence, when Paypal receives a payment on my behalf, they post the details to a web page I have set up (receive-paypal.asp). This includes the username, amount, and other details I can use to verify this user. Store this in a database when you receive it, and you can match it up with the user's account.

Details on how to do this are in the Paypal developer's guide. It's been a few years since I set it up, so I don't remember the details offhand, but if enough people are interested in this, I could make a lesson out of it. (Sound up here!)