test.php.xyz will run as php.
As long as the file extension is unknown to Apache, the next extension is chosen, starting from the right. This is a reminder on why you should use whitelisting to validate input.
Whitelisting means to check if input is allowed, based on predefined rules. For example: allow only numbers. Or allow only letters.
A blacklisting approach, predefines bad combinations of strings and metacharacters. This will work fine if you can enumerate all possible bad inputs. Which is unlikely.
Do whitelisting on input.