[thelist] checking uploaded filetypes

I am building a site (PHP) which will allow users to include a logo with
their order, using a file input field in a form. I will probably accept only
four or five common graphic file formats. This should be possible with html,
except that the browsers don't support "accept" in a file tag.

Obviously, I reject anything which has an extension not on my "safe-list".
However, I think that I have to accept files which do not have an extension
at all as many logo files start out on Macs. I also have to assume that
acceptable extensions may be incorrect for the file supplied, due to
inaccurate Mac / pc transfers or malice.

 The Mime-type identified by PHP, which is supplied by the browser, may be
missing (IE on mac, apparently), incorrect (malicious user or incorrectly
configured browser) or not enough to identify the file type (an eps file
will have Application/Octet-Stream, but so could many other things,
including malicious executables)

As the files should not be opened or run on the server, I hope that the
worst that can happen with an unidentified file-type is the same as with
unidentified e-mail graphics attachments: (run a virus-check, try open-as in
photoshop, try illustrator, try freehand, ring client). Obviously, though,
I'd like to make things as safe as possible.

Does anyone know a  way of verifying a file-type from the file contents
only, Mac and PC, or have any other suggestions?

Liz