The ID is to be passed to payPal when sending over a payment.
This loop that includes "thank_you.html" is really for basic purchases and not for downloads. Look at the loop:
1. Client is redirected to payPal.
2. Client makes payment.
3. At payment complete, there is a link "return to customer site" which brings you to thankyou.html.
There are a number of things wrong with this. As mentioned, once they go to thankyou.html, they can pass it out to all their friends. Or what if they never click the return to site link at all? A common reaction of many users is that once they've completed the payment, they are done, and out of habit just close the window. There is also a validation issue too - what if they pay with an eCheck, whcih takes three business days to clear? You're redirecting them to the download before it's paid for (and may NOT be paid for.)
What you should do with digital downloads is look at IPN (Instant Payment Notification.) Contrary to it's name, IPN is not about sending you an email notification, it's about sending a token to a URL on your site once the payment is successful, which, as mentioned, can be instant or several days later.
IPN resolves all of the above problems, including them closing the payPal window and not returning to your site.
Once you have enabled IPN in your account, You construct two scripts with IPN: one that sends them to payPal, and one that "listens" for the IPN notification.
1. Customer enters form data on your site, that does NOT include credit card info.
2. On submit, you store this data in your database and mark it as "pending" or "in progress" - not complete.
3. After storing the data, you send them to payPal.
4. Customer makes payment. They can return to your site or not, we don't care.
Now your second script, the "listener," does this:
1. "Listens" for IPN's from paypal.
2. On recipt of the IPN, it looks up the customer in your database referred to by the IPN.
3. If the payment is not successful, it emails the client of the failure.
4. If the payment is successful,
a. Mark the transaction as complete in your database.
b. Create a "unique URL" that will expire in a given amount of time (or the first time it's requested.) This can be a simple or complex method, too deep to discuss here.
c. Email the client of the success and the email contains this unique URL.
All of this is well documented in the payPal IPN documentation with examples. There are many threads on this board for generating unique URL's.