Moved sql where line to be included in count
I think we've got a bigger problem with this file, which is an SQL injection vulnerability on line 12. Try searching for "'); drop table devices; --" (without the double quotes), on an unimportant system and you'll see what I mean. ;-)
Have you tested this or just read that pages code and assumed that's it not escaped?
$searchPhrase is run through mres() in html/ajax_table.php
'); drop table test; --
mysql> select * from test;
Empty set (0.00 sec)
My assumption was based on reading the code only.
I still get nervous when I see variables inserted like that instead of parameterised, but if there's no way to hit that code without the variables being sanitised, I'm happy. :-)