First of all, your code is vulnerable to
SQL Injection.[
^]
And good news is, if you take care of prevention for SQL Injection, it will automatically solve your issue too.
Either you can create a stored procedure or consider creating parameterised query something like following-
var lstQuery = @"select * from Transactions where MasterId not in (Select masterId from BillDetails) and MasterId in (select MasterId from Transactions where Ledger=@Ledger) and Ledger= @Ledger";
SqlCommand cmd = new SqlCommand(lstQuery, CGlobalTally_MT.sqlConnection);
cmd.Parameters.AddWithValue("@Ledger", item);
SqlDataAdapter ada = new SqlDataAdapter(cmd);
DataTable dtvendBill = new DataTable();
ada.Fill(dtvendBill);
Hope, it helps :)