@Jearnshaw, Variable injection is an old technique that doesn’t really work anymore (at least with people with a little bit of ecommerce clue). As you already mentioned, all you have to do is check the price paid on the PayPal receipt. You can just refund their money and also inform paypal that they have been trying to scam you and I am sure PayPal will take action against users who try sneaky tricks.
The WP eStore handles this in a much better way though. The later version of eStore doesn’t use hidden fields. You can check it out from the following demo page:
The eStore also has post payment checks against variable injection. eStore checks the price on the product database (that you configured) against the price paid in PayPal before it gives the digital product to the customer. The following URL explains the post payment verification that goes on after a payment before the digital product is given to the customer:
http://www.tipsandtricks-hq.com/ecommerce/wordpress-ecommerce-knowledgebase-523