php $_GET is it interpreted as single quoted or double quoted string?

Question

I'm making the assumption that $_GET variables are interpreted as single quoted strings (and not double quoted strings).

I believe this is true because of the following test (trying to directory traversal attack myself):

$file = "../test.php";
/**
* same as file1 but using hexadecimal encoding, which is a feature
* only available to double quoted strings
* https://www.php.net/manual/en/language.types.string.php
*/
$file2 = "\x2e\x2e\x2ftest.php"; 

include $file1; // will succeed in my environment
include $file2; // will succeed in my environment

However, if I pass the hexadecimal notation via $_GET, it fails including the file:

$file3 = $_GET["path"]; // (string) \x2e\x2e\x2ftest.php
include $file3; // will fail in my environment

So my question is: is it really the case that $_GET variables are interpreted as single quoted strings? (because if so then maybe a simple removing of two consecutive dots from the user input would prevent any directory traversal attack)

And if so, is it written anywhere in the php manual?

Answer 1

Short Answer: $_GET['path'] is a Variable. PHP will interpret escape sequences only if it found in double quotes, not in a variable. -> Strings Manual.

$get = "\x2e";
var_dump($get);  
//string(1) "."

$get = "\\"."x2e";
var_dump($get);
//string(4) "\x2e"