EDIT: $products_per_page however could possibly be specified from an external post.
I didn't go through the x-cart code to see if the query checks this variable prior to use or assumes it is safe because it usually comes from the config, but I figure better safe than sorry