I don't want to hijack this thread as it's a good mod... and not my mod... but I've had to assist several store owners who have had the misfortune of having their sites hacked due to varying exploits, so please excuse my paranoia and hesitation to rely on x-cart's data sanitizing 
Here's the code I would use in change_ppp.php:
Code:
<?php
if ( !defined('XCART_SESSION_START') && ($_SERVER['REQUEST_METHOD'] != "POST")) { header("Location: home.php");}
require_once "auth.php";
x_session_register("products_per_page");
if ($_SERVER['REQUEST_METHOD'] == "POST") {
if ($ppp) {
$back = $_SERVER['HTTP_REFERER'];
if (!$back)
$back = "/home.php";
if ($ppp == "all") {
$ppp = 32767;
} else {
$products_per_page = (int)$ppp;
}
x_session_save("products_per_page");
func_header_location($back);
}
}
if ((int)$products_per_page > 0) {
$config["Appearance"]["products_per_page"] = $products_per_page;
$objects_per_page = $config["Appearance"]["products_per_page"];
}
$smarty -> assign("products_per_page",$config["Appearance"]["products_per_page"]);
?>