Paypal and "going root"

I am seeking to have a system in which it is never necessary for
application code to "go root" w/respect to the database server, where
all commands issued to a server are as a regular logged in user with
their privileges.

There are two holes I know of here.  Thanks to Tom I've got the answer
to the first one: which is creating users.  We will implement stored
procedures that create users and grant privileges, and then grant
execute privileges to these stored procedures.  This means we don't have
to "go root" to grant membership in groups.

The last one left that I have is the sticky issue of a paypal IPN
transaction coming in.  I believe it applies generally to financial
transactions.  The user is sent by our application to the Paypal site.
When they pay, paypal sends a POST with various information that we
need.  The user does not see this, it is behind the scenes.  The POST
request must run as an anonymous user because I have no state
whatsoever.  But the request must also commit financial data.  This
creates a vulnerability, at least in theory.  There are fields contained
in the transaction meant to allow confirmation and prevent fraud, but I
just don't like that idea of running anonymously and committing
financial data.

In this case it seems creating a stored procedure will not automatically
help, as then we just execute the SP anonymously, and it strikes me as
no different.

Has anybody pondered this and come up with anything?

--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010