Authenticity of uploaded pdf files

Question

My server must only accept pdf files. I am using php to upload files. Currently, I am checking if the file starts with %PDF to ensure the uploaded file really is a pdf file. Are

Answer 1

You can use the PECL FileInfo extension to detect the MIME type. (I suspect however, that internally, it just does the same thing you're already doing.) Alternatively, you might use FPDI to see if you can successfully read the file. With PDF files though, I think embedded malware is a bigger concern than misnamed executables. Any time you're accepting uploads from users, it's probably a good idea to run the file through ClamAV or similar.