You should never be storing or processing arbitrary params. The page that receives the user's post data should know exactly which parameters to expect and what formats they may be in.
First validate each expected parameter and if validation passes -- with the exception of the spambot criteria -- populate an object with the validated parameters and save that object in the session. You can get it back out if the captcha is succesful.
Edit
In response to your comment: From a security POV, you are trying to architect your function at too high a level. By having no "local knowledge" you have no option but to open yourself up to security problems. Have a think about how to introduce your method call at a lower level.
Here's a loosely worked example:
Let each page/controller/action/whatever validate their own data first (only the local code knows how to validate it's own data), then let each action call your spambot filter/redirect component/method, passing the validated form data it wishes to be persisted along with the fieldnames that need to be spam-checked.
Your method can spam-check the potential problem fields, persist the data and redirect to re-captcha.
In pseudo-code, each web action that needs a spam check can do something like below. It reqiures just one method call
e.g.
void someAction( untrustedData ) {
trustedData = object;
trustedData.id = makeInt( badData.id );
trustedData.name = safeCharsOnly( untrustedData.name );
trustedData.message = safeCharsOnly( untrustedData.message ); # <-- spam-check this
fieldsToSpamCheck = ['message'];
successUrlBase = '/myapp/sandwiches/postMessage';
if (!spamChecker.check( trustedData, fieldsToSpamCheck, successUrlBase )) {
// spamChecker will check specified params
// if not spam, it returns true
// if spam it sets a http redirect and returns false
return;
}
processData( trustedData );
}