to tiziano - regarding passing data from form to thank-you page
If you include the data in the pay now button form hidden tag "custom" value the data will be returned in the "cm=" NVP.
If the data is multi field then simply include a separator between fields (ie use "|" char is common... something that won't appear in the field values).
Then simply expand the "custom" ("cm") value in to each item value by splitting with the (ie) "|" char again when received via GET in the thank-you page.
The query string you receive (above) is correct and safe. It is supplied that way so a basic thank-you page can be dynamically created with minimal info.
BUT to then capture a confirmed UN-TAINTED (secure and correct) full transaction record your dynamic page must use the "tx" value with your PDT key in a handshake with the PP server which once confirmed legit will return the transaction record in full ending the handshake with a POST data stream which your dynamic PDT page can then parse as desired.
Whether you receive the PDT query string (above) and subsequent POST data stream, or nothing, or a simple get query string, depends on your PP profiles PDT setup. It is complicated to follow on the PP site PDT page help info I know but I think yours appears to be set OK for as I explained.
**So, try using the "custom" hidden tag embedded with the carry-over data and it will be sent to your thank-you page post payment in the "cm" NVP.
PS NEVER rely on the full PDT process to update dbs etc with the transaction record captured this way, only for display purposes. It is on record many payers simply surf on elsewhere from the PP payment results page, or their browser / ISP connection crashes and consequently the PDT (thank-you page) db record parsing never takes place (USE THE DISCREET IPN process ALSO to reliably do that seconds before hand).
Hope that helps some bod.