Build a String for Database.query

The best way to avoid this problem is to use binding syntax if you need to use dynamic SOQL - it is easier to get right and cleaner to read. Importantly it also eliminates the risk of a SOQL Injection attack. Note that the value bound has to be a simple variable reference (e.g. not a dotted expression) for the dynamic SOQL case.

So:

String companyLike = '%' + compagnia + '%';
String query = 'select Id, Company from Lead where Company like :companyLike';
List<Lead> leads = Database.query(query);

But for your case static SOQL is cleaner still and gets checked by the compiler so is the better way to go:

String companyLike = '%' + compagnia + '%';
List<Lead> leads = [select Id, Company from Lead where Company like :companyLike];