I think there are many ways to improve that code, using arrays more efficiently (code as arrays).
For one, it contains rows of repetitive code like this:
$paypal['firstname'] = isset($_POST['firstname']) ? $_POST['firstname']: "";
$paypal['lastname'] = isset($_POST['lastname']) ? $_POST['lastname']: "";
// ad nauseum
Could be rewritten simply as (remove my comments to see how short it could be)
// these are the required paypal fields (you would have to add them all)
$original = array('firstname','lastname','address');
// then you could assign an empty string to each one
$pp = array_fill_keys($original, '');
// var_dump($pp) // have a look and check by uncommenting this line
// here is an example of some incoming POST vars:
// 2 you ARE expecting, and will use
$_POST['firstname'] = 'Joe';
$_POST['lastname'] = 'Bloggs';
// imagine $_POST['address'] is missing
... nothing here, its missing ;)
// one you DONT want to use, say ...
// then merge them
$paypal = array_merge($pp, $_POST);
'firstname' => string 'Joe' (length=3)
'lastname' => string 'Bloggs' (length=6)
'address' => string '' (length=0)
address is pre-filled in with '', see?
There are other similar things you can do to eliminate all those hardcoded keys which appear in that code.
Getting back to your original question, Mike is right of course, you do not need to prepare it for insertion into a db, you have no idea what PP are going to do with those values - that is their responsibility, unless they instruct you to do otherwise of course.
Your responsibility is to Escape Output (from FIEO, Filter Input Escape Output) ready for the next environment the vars are heading.
Where this code falls down again is that it (seemingly) does not Escape Output when subsequently echoing those vars into a HTML page, that is where you should be using one of the PHP escape mechanisms prior using [htmlentities() [URL="http://php.net/manual/en/function.htmlspecialchars.php"]htmlspecialchars()](http://www.php.net/manual/en/function.htmlentities.php)etc.
So, good question, and yes, you should be escaping your data, but not there and not using mysql_real_escape_string (which counters SQL injection attacks) but as you dump the vars back onto a page (to counter XSS attacks in html).