Not really, no.

You will need to read the first few bytes of each file and interpret it as a header for a finite set of known filetypes. Most files have distinct file headers, some sort of metadata in the first few bytes or first few kilobytes in the case of MP3.

Your program will have to simply try parsing the file for each of your accepted filetypes.

For my program, I send the uploaded image to imagemagick in a try-catch block, and if it blows up, then I guess it was a bad image. This should be considered insecure, because I am loading arbitrary (user supplied) binary data into an external program, which is generally an attack vector. here, I am trusting imageMagick to not do anything to my system.

I recommend writing your own handlers for the significant filetypes you intend to use, to avoid any attack vectors.

Edit: I see in PHP there are some tools to do this for you.

Also, MIME types are what the user's browser claims the file to be. It is handy and useful to read those and act on them in your code, but it is not a secure method, because anyone sending you bad files will fake the MIME headers easily. It's sort of a front line defense to keep your code that expects a JPEG from barfing on a PNG, but if someone embedded a virus in a .exe and named it JPEG, there's no reason not to have spoofed the MIME type.

that could still be forged. I would ensure that you can not (or do not) run a file uploaded to the server automatically.

I would also have a virus/spy ware scanner, and let it do the work for you.

Is checking the MIME type simply enough? I am assuming that changing the extension on a file doesn't change it's MIME type? Is MIME type a strong enough indicator to go by here?

It really depends on how it's used.

• If you provide uploads and downloads, then nothing matters since it doesn't execute.
• If it's handled by the web server, then it's going to be dependent on how the web server is configured, though subject to most of the rest of these comments.
• If it's an image, it will either display, or not, or be the target of image library exploits. But only those.
• Something like a pdf file may not affect your server, but rather the computer of the person accessing the file.
• If it's going to be passed to a function like "system()" then we're back to the OS behavior--as if it were "double-clicked", and the file extension might even be considered.

Is checking the MIME type simply enough? I am assuming that changing the extension on a file doesn't change it's MIME type?

Is MIME type a strong enough indicator to go by here?

Thanks for all of the responses thus far.

you can use below code which gives you MIME type if you have changed the extension then also

$finfo = finfo_open(FILEINFO_MIME_TYPE);
echo $mime = finfo_file($finfo, $_FILES['userfile']['tmp_name']);
finfo_close($finfo);

Windows users: just edit php.ini and uncomment this line:

extension=php_fileinfo.dll

Remember to restart Apache for new php.ini to take effect.

In *nix, the first two bytes of the file tells you (see "magic number"). In Windows, ...sometimes this will be true ("header info"). It is, ultimately, O.S. dependent.