test.php.xyz will run as php.

As long as the file extension is unknown to Apache, the next extension is chosen, starting from the right. This is a reminder on why you should use whitelisting to validate input.

Whitelisting means to check if input is allowed, based on predefined rules. For example: allow only numbers. Or allow only letters.

A blacklisting approach, predefines bad combinations of strings and metacharacters. This will work fine if you can enumerate all possible bad inputs. Which is unlikely.

Do whitelisting on input.