Hi,
The first thing I notice is that you're using global variables to save the values. Global variables are shared across multiple connections which would cause trampling. You can change them to local variables by removing the ::. Second, if the client is sending un-encoded &'s in the parameter value, you won't be able to split the parameters based on the & as a delimiter. You
might be able to split them if you parse the boundary from the Content-Type header and then break up the chunks of data to get just the parameter value. I would imagine it would be a complicate rule and take a lot of CPU and memory to perform the validation.
Even if you're able to parse the parameter values, I think you're going to have a hard time coming up with a comprehensive validation methodology using just iRules. You might consider F5's application firewall, ASM. With it, you can validate all the input a user sends in requests and the application's responses. This includes the request method, headers, query string and post data parameters and server responses. You get much more granular control if you need it, but can still set reasonable defaults. Also, the parsing and decoding is handled for you.
If you do continue with the iRule approach, reply if you run into more problems or make progress.
Aaron