Hi,
I'm afraid it's not really be possible to protect this
I explain: since the parameters are within the URI it means the form uses GET method to send the data.
Then between the client and the BIGIP, the URI will always contain the different parameter and their value, you won't be able to hide it since it is send by the client.
You may want to rename the parameter but it would be useless since the client will know what it is in the URI based on the value that will be assigned to each parameter.
Ex: let's say you hash in the form received by the client the username and password header. When the client will enter his credential he will see something like this in his browser:
http://www.test.com/index.php?sidjfsoidjf=thisistheuser&sfjsdoijfoif=thisismypassword
So the client will be able to know which parameter to modify after.
If you want to hide the parameter from the URI, you will need to use POST method and it will only hide the data into the http payload. If the client is smart he'll be able to find those data and modify it then using software like paros.
In your case you won't be able to do anything with iRules only.
HTH