The risk of attacks on web systems increased with the reliance of web systems in a wide range of businesses, and attackers invent new techniques to crack these systems. According to OWASP SQL injection stays one of the top 10 web applications security risks. This research use machine learning to detect SQL injection attacks, we used four machine learning models to detect SQL injection attacks. An insight into the data shows that data preparation and feature extraction have influenced detection accuracy. The used training dataset is a combination of live requests extracted from the user requests log files and the training dataset contains records of benign and malicious SQL queries. Then we compared the use of these models in terms of quality and speed of training, results showed that Support Vector Model achieved the highest detection accuracy with 0.997 accuracy followed by Extreme Gradient Boosting with 0.995 accuracy. On the other hand, Naïve Bayes using N-gram level feature extraction model was the fastest model it required 6 milliseconds to train the classifier.