跳到内容
DevLab

File Signature (Magic Bytes) Reference

A reference of the leading-byte signatures (magic bytes) that identify file formats. Useful for type detection and upload validation.

What are magic bytes?

Most file formats include a fixed byte sequence at the start of the file — the "magic bytes" or "file signature". The OS and applications use this to detect file type. File extensions are easy to spoof; magic bytes are a reliable binary-level identifier, making them essential for trustworthy upload validation.

Linux's file command and PHP's finfo class detect MIME types using this mechanism.

Image files

FormatExtensionMagic bytes (hex)ASCIIOffset
PNG.png89 50 4E 47 0D 0A 1A 0A‰PNG\r\n\x1a\n0
JPEG.jpg/.jpegFF D8 FF0
GIF87a.gif47 49 46 38 37 61GIF87a0
GIF89a.gif47 49 46 38 39 61GIF89a0
WebP.webp52 49 46 46 ?? ?? ?? ?? 57 45 42 50RIFF????WEBP0
BMP.bmp42 4DBM0
TIFF (little-endian).tiff/.tif49 49 2A 00II*\00
TIFF (big-endian).tiff/.tif4D 4D 00 2AMM\0*0
AVIF / HEIF.avif/.heif66 74 79 70ftyp4
ICO.ico00 00 01 000
SVG.svg<?xml or <svgtext0 (no BOM)

Documents & archives

FormatExtensionMagic bytes (hex)Notes
PDF.pdf25 50 44 46 2D%PDF-
ZIP.zip50 4B 03 04PK\x03\x04
ZIP (empty).zip50 4B 05 06
GZIP.gz1F 8B
7-Zip.7z37 7A BC AF 27 1C7z\xBC\xAF'\x1C
RAR4.rar52 61 72 21 1A 07 00Rar!\x1A\x07\x00
RAR5.rar52 61 72 21 1A 07 01 00
TAR.tar75 73 74 61 72ustar (offset 257)
DOCX / XLSX / PPTX.docx etc.50 4B 03 04ZIP-based (distinguished by extension)
XLS (legacy).xlsD0 CF 11 E0 A1 B1 1A E1OLE2 container
DOC (legacy).docD0 CF 11 E0 A1 B1 1A E1OLE2 container

Text & data formats

FormatExtensionMagic bytes / BOMNotes
UTF-8 with BOM.txt/.csv etc.EF BB BFByte Order Mark
UTF-16 LE BOM.txt etc.FF FELittle-endian
UTF-16 BE BOM.txt etc.FE FFBig-endian
UTF-32 LE BOM.txt etc.FF FE 00 00
JSON (typical).json7B or 5B{ or [
CSV (typical).csvplain text (no BOM)No signature
XML.xml3C 3F 78 6D 6C<?xml

Audio & video

FormatExtensionMagic bytes (hex)Notes
MP3.mp3FF FB / FF F3 / FF F2Or ID3 tag: 49 44 33
MP4 / M4A / M4V.mp4 etc.66 74 79 70ftyp (offset 4)
WAV.wav52 49 46 46 ?? ?? ?? ?? 57 41 56 45RIFF????WAVE
OGG.ogg/.ogv4F 67 67 53OggS
FLAC.flac66 4C 61 43fLaC
AVI.avi52 49 46 46 ?? ?? ?? ?? 41 56 49 20RIFF????AVI
MKV / WebM.mkv/.webm1A 45 DF A3EBML header

Executables & other

FormatExtensionMagic bytes (hex)Notes
ELF (Linux executable)none/.elf7F 45 4C 46\x7FELF
PE (Windows executable).exe/.dll4D 5AMZ
Mach-O (macOS executable)noneCF FA ED FE64-bit
PHP script.php3C 3F 70 68 70<?php
SQLite.sqlite/.db53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00SQLite format 3\0
ISO.iso43 44 30 30 31Offset 32769: CD001

Magic byte validation in PHP

 ['offset' => 0, 'bytes' => "\x89PNG\r\n\x1a\n", 'length' => 8],
        'jpg'  => ['offset' => 0, 'bytes' => "\xFF\xD8\xFF",       'length' => 3],
        'gif'  => ['offset' => 0, 'bytes' => "GIF8",               'length' => 4],
        'pdf'  => ['offset' => 0, 'bytes' => "%PDF-",              'length' => 5],
        'zip'  => ['offset' => 0, 'bytes' => "PK\x03\x04",         'length' => 4],
        'exe'  => ['offset' => 0, 'bytes' => "MZ",                 'length' => 2],
    ];

    if (!isset($signatures[$expectedType])) {
        throw new \InvalidArgumentException("Unknown file type: $expectedType");
    }

    $sig = $signatures[$expectedType];
    $handle = fopen($filePath, 'rb');
    if ($sig['offset'] > 0) fseek($handle, $sig['offset']);
    $header = fread($handle, $sig['length']);
    fclose($handle);

    if (substr($header, 0, $sig['length']) !== $sig['bytes']) {
        throw new \RuntimeException("Magic bytes do not match (expected: $expectedType)");
    }
}

// Usage
validateMagicBytes($_FILES['upload']['tmp_name'], 'png');
echo "Valid PNG file";

Related resources